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Preface 



The annual conference of the European Association for Computer Science Logic, 
CSL 2003, was held jointly with the 8th Kurt Godel Colloquium, 8. KGC, at the 
Vienna University of Technology on 25-30 August 2003. 

The conference series CSL started as a program of international workshops 
on Computer Science Logic, and then in its sixth meeting became the annual 
conference of the EACSL. This conference was the 17tlr meeting and 12th EACSL 
conference. 

The KGC is the biennial conference of the Kurt Godel Society. It has taken 
place in various formats and has been devoted to special topics in logic, such as 
computational logic, set theory, algebraic logic, and history of logic. 

The CSL 2003 and 8. KGC were organized by the Kurt Godel Society jointly 
with the Institut fiir Algebra und Computermathematik and the Institut fiir 
Computersprachen, Vienna University of Technology. 

The CSL 2003 and 8. KGC joint program committee had the difficult task of 
choosing among 112 mostly high-quality submissions. Each paper was refereed 
by at least two reviewers and then discussed by the whole program committee. In 
the final stage, during a three day electronic discussion, the program committee 
selected 39 papers for presentation at the conference and publication in these 
proceedings. Unfortunately, many high-quality papers had to be rejected due to 
the limitations set by the conference duration. 

The program committee chose as invited speakers Bruno Buclrberger, Dov 
Gabbay, Helmut Veith, Nikolai Vorobjov, and Andrei Voronkov. Additionally, 
Sergei Artemov was invited jointly by CSL 2003 and 8. KGC and the European 
Summer School in Logic Language and Information (ESSLLI2003) for the key 
note address of both events. 

In addition to the main conference program, CSL 2003 and 8. KGC featured 
four tutorials given by Ahmed Bouajjani ( Verification of Infinite State Systems), 
Georg Moser and Richard Zaclr ( The Epsilon Calculus), Nikolai Vorobjov ( Effec- 
tive Quantifier Elimination over Real Closed Fields), Igor Walukiewicz ( Winning 
Strategies and Synthesis of Controllers). 

The last day of CSL 2003 and 8. KGC was jointly held with the 2nd annual 
workshop of the European Research Training Network GAMES (Games and 
Automata for Synthesis and Validation), organized by Erich Gradel. 

We thank the program committee and all the referees for the work in review- 
ing the papers. We are grateful to Norbert Preining for taking care of the main 
organizational tasks and we thank the remaining members of the local orga- 
nizing team, Arnold Beckmann, Agata Ciabattoni, Christian Fermuller, Rosalie 
Iemhoff, and Sebastiaan Terwijn. 
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We would like to thank the following institutions for supporting the meeting: 
the European Association for Computer Science Logic (EACSL), the Austrian 
Federal Ministry for Education, Science and Culture, the City Council of Vienna, 
the Vienna University of Technology, and the companies IBM and Siemens. 



June 2003 



Matthias Baaz and Johann Makowsky 
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Deciding Monotonic Games 



Parosh Aziz Abdulla 1 , Ahmed Bouajjani 2 , and Julien d’Orso 1 

1 Uppsala University, Sweden 

2 University of Paris 7, France 



Abstract. In an earlier work [ACJYKOO] we presented a general frame- 
work for verification of infinite-state transition systems, where the transi- 
tion relation is monotonic with respect to a well quasi- ordering on the set 
of states. In this paper, we investigate extending the framework from the 
context of transition systems to that of games. We show that monotonic 
games are in general undecidable. We identify a subclass of monotonic 
games, called downward closed games. We provide algorithms for ana- 
lyzing downward closed games subject to winning conditions which are 
formulated as safety properties. 



1 Introduction 

One of the main challenges undertaken by the model checking community has 
been to develop algorithms which can deal with infinite state spaces. In a previous 
work [ACJYKOO] we presented a general framework for verification of infinite- 
state transition systems. The framework is based on the assumption that the 
transition relation is monotonic with respect to a well quasi- ordering on the 
set of states (configurations). The framework has been used both to give uni- 
form explanations of existing results for infinite-state systems such as Petri nets, 
Timed automata [AD90], lossy channel systems [AJ96b], and relational automata 
[BBK77,Cer94[; and to derive novel algorithms for model checking of Broadcast 
protocols [EFM99,DEP99], timed Petri nets [AN01], and cache coherence pro- 
tocols [DelOO], etc. 

A related approach to model checking is that of control [AHK97] . Behaviours 
of reactive systems can naturally be described as games [dAHM01,Tho02], where 
control problems can be reduced to the problem of providing winning strategies. 
Since the state spaces of reactive systems are usually infinite, it is relevant to 
try to design algorithms for solving games over infinite state spaces. 

In this paper, we consider extending the framework of [ACJYKOO] from the 
context of transition systems to that of games. This turns out to be non-trivial. 
In fact, for one of the simplest classes of monotonic transition systems, namely 
Petri nets, we show that the game problem is undecidable. The negative result 
holds for games with the simplest possible winning condition, namely that of 
safety. Such a game is played between two players A and B, where player A 
tries to avoid a given set of bad configurations, while player B tries to force 
the play into such a configuration. On the other hand, we show decidability of 
the safety game problem for a subclass of monotonic games, namely downward 
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closed games : if a player can make a move from a configuration C\ to another 
configuration C 2 , then all configurations which are larger than Ci (with respect to 
the ordering on the state space) can also make a move to C 2 . Typical examples of 
downward closed systems are those with lossy behaviours such as lossy channel 
systems [AJ96b] and lossy VASS [BM99]. 

We summarize our (un)decidability results as follows: 

— Decidability of the safety problem for games where player B has a downward 
closed behaviour (a B-downward closed game). Considering the case where 
only one player is downward closed is relevant, since it allows, for instance, 
modelling behaviours of systems where one player (representing the environ- 
ment) may lose messages in a lossy channel system (a so called B-LCS game). 
In case player A has a deterministic behaviour (has no choices), our algo- 
rithm for B-downward closed games degenerates to the symbolic backward 
algorithm presented in [AJ96b,ACJYK00] for checking safety properties. In 
fact, we give a characterization of the set of winning (and losing) configu- 
rations in such a game. Observe that this result implies decidability of the 
case when both players have downward closed behaviours. 

— Decidability of the safety problem for A-downward closed games. In case 
player B has a deterministic behaviour, our algorithm for A-downward closed 
games degenerates to the forward algorithms described in [AJ96b,ACJYK00] 
and [Fin94,FS98] for checking eventuality properties (of the form Mop). 
However, in contrast to B-downward closed games, we show it is not possible 
to give a characterization of the set of winning (or losing) configurations. 

— Decidability results for downward closed games do not extend to monotonic 
games. In particular we show that deciding safety properties for games based 
on VASS (Vector Addition Systems with States), is undecidable. VASS is a 
variant of Petri nets. The undecidability result holds even if both players are 
assumed to have monotonic behaviours. 

— Undecidability of parity games for both A- and B-downward closed games. 
In a parity game, each configuration is equipped with a rank chosen from a 
finite set of natural numbers. The winning condition is defined by the parity 
of the lowest rank of a configuration appearing in the play. In particular, 
we show undecidability of parity games for both A-LCS and B-LCS games. 
On the other hand, if both players can lose messages, then the problem is 
decidable. 

Outline. In the next Section, we recall some basic definitions for games. In 
Section 3, we introduce monotonic and downward closed games. We present a 
symbolic algorithm for solving the safety problem for B-downward closed games 
in Section 4; and apply the algorithm to B-LCS in Section 5. In Section 6, 
we consider A-downward closed games. In Section 7, we show that the safety 
problem is undecidable for monotonic games. In Section 8, we study decidability 
of parity games for the above models. 
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2 Preliminaries 

In this section, we recall some standard definitions for games. 

A game G is a tuple (C, Ca, Cb, — A Cf), where C is a (possibly infinite) set 
of configurations, Ca,Cb is a partitioning of C, — >C ( Ca x Cb) U (Cb x Ca) 
is a set of transitions, and Cf Q Ca is a finite set of final configurations. We 
write ci — > c-i to denote that (ci,C2) £ — >. For a configuration c, we define 
Pre(c) = {c'| c' — ► c}, and define Post(c) = {c'\ c — > cf}. We extend Pre to 
sets of configurations such that Pre(D) = U ce £>-Pre(c). The function Post can be 
extended in a similar manner. Without loss of generality, we assume that there 
is no deadlock, i.e., Post.(c) y^ 0 for each configuration c. For a set D C Ca of 
configurations, we define ~ D to be the set Ca\D. The operator ~ is defined in 
a similar manner. For a set D C Ca, we use Pre(D) to denote ~ ^ Pre ^))’ 

For E C Cb, we define Pre(E) in a similar manner. 

A play P (of G) from a configuration c is an infinite sequence co,Ci,C2, . . . 
of configurations such that cq = c, and Cj — > c,+i, for each i > 0 . A play 
Co, Ci, C2, • . . is winning (for A) if there is no j > 0 with Cj £ Cf- 

A strategy for player A (or simply an A-strategy) is a partial function a a '■ 
Ca H > Cb such that c — > oa(c)- A B -strategy is a partial function as : 
Cb Ca and is defined in a similar manner to a a- A configuration c £ Ca 
together with strategies a a and ctb (for players A and B respectively) de- 
fine a play P(c,<ja,&b) = Co,Ci,C2, . . . from c where C2i+i = o A(c2i), and 
C2i+2 = cr _b(c2,:+i), for i > 0 . A similar definition is used in case c £ Cb (in- 
terchanging the order of applications of a a and cfb to the configurations in the 
sequence) . 

An A-strategy a a is said to be winning from a configuration c, if for all 13 - 
strategies as, it is the case that P(c, a a, &b) is winning. A configuration c is 
said to be winning if there is a winning A-strategy from c. 

We shall consider the safety problem for games: 

The safety problem 

Instance. A game G and a configuration c. 

Question. Is c winning? 



3 Ordered Games 

In this section, we introduce monotonic and downward closed games. 

Orderings. Let A be a set and let A be a quasi-order (i.e. a reflexive and 
transitive binary relation) on A. We say that A is a well quasi- ordering (wqo) on 
A if there is no infinite sequence ao, ai, 02, . . . with at aj for i < j. For B C A, 
we say that B is canonical if there are no a,b £ B with a b and a A b. We use 
min to denote a function where, for B C A, the value of min(B) is a canonical 
subset of B such that for each b £ B there is a £ min(B) with a A b. We say 
that A is decidable if, given a, b £ A we can decide whether a A b. A set B C A 




4 



Parosh Aziz Abdulla, Ahmed Bouajjani, and Julien d’Orso 



is said to be upward closed if a £ B and a A b imply b £ B. A downward closed 
set is defined in a similar manner. 

Monotonic Games. An ordered game G is a tuple (C,Ca,Cb, — >,C F ,A), 
where (C,Ca,Cb , — >,C F ) is a game and A C ( C A x C a) U ( Cb x Cb) is a 
decidable wqo on the sets Ca and Cb- The ordered game G is said to be mono- 
tonic with respect to player A (or simply A-monotonic ) if, for each Ci,C2 £ Ca 
and C3 £ Cb , whenever C\ A C2 and c\ — > C3, there is a C4 with C3 A C4 and 
C2 — > C4. A B -monotonic game is defined in a similar manner. A monotonic 
game is both A-monotonic and B-monotonic. 

Downward Closed Games. An ordered game G = (C, Ca, Cb, — >, C F ■ A) is 
said to be A-downward closed if, for each ci,C2 £ Ca and C3 £ Cb, whenever 
ci — > C3 and Ci A C2, then C2 — > C3. A B-downward closed game is defined in 
a similar manner. A game is downward closed if it is both A- and B-downward 
closed. Notice that each class of downward closed games is included in the corre- 
sponding class of monotonic games. For instance, each A-downward closed game 
is A-monotonic. From the definitions we get the following property. 

Lemma 1 . For an A-downward closed game G and any set E C Cb, the set 
Pre(E) is upward closed. A similar result holds for B-downward closed games. 

4 B-Downward Closed Games 

We present a symbolic algorithm for solving the safety problem for B-downward 
closed games. In the rest of this Section, we assume an B-downward closed game 

G = (C,C a ,Cb,^,C f ,A). 

Scheme. Given a configuration c in G, we want to decide whether c is winning 
or not. To do that, we introduce a scheme by considering a sequence of sets of 
configurations of the form: 

s ■ Dq , Eq , D\ , E\ , D2 , B2 , . . . 

where Dj C Ca and B, ; C Cb- Intuitively, the sets Dj and £) characterize the 
configurations (in Ca and Cb respectively) which are not winning. The elements 
of the sequence are defined by 

D 0 = C F E 0 = Pre(Do) 

A+i = Di U Pre(Ei) E i+1 = E t U Pre(D i+1 ) i = 0,1,2 ,... 

We say that s converges (at i) if £^ + i C Dg or B^+i C E(. In such a case, the 
set DpUEe characterizes exactly the set of configurations which are not winning. 
The question of whether a given configuration c is winning amounts therefore 
to whether c fL (Du U Eg). To show that our characterization is correct, we show 
the following two Lemmas. The first Lemma shows that if c appears in one of the 
generated sets then it is not a winning configuration. The second Lemma states 
that if the sequence converges, then the generated sets contain all non-winning 
configurations. 
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Lemma 2. If c € D i U £0 for some i > 0, then c is not winning. 

Lemma 3. If s converges and c U Ei for each i > 0, then c is winning. 

Below, we present a symbolic algorithm based on the scheme above. We 
shall work with constraints which we use as symbolic representations of sets of 
configurations. 

Constraints. An A-constraint. denotes a (potentially infinite) set [0] C Ca of 
configurations. A B-constraint is defined in a similar manner. For constraints 0i 
and 0 2 , we use 0 1 C 0 2 to denote that [0 2 ] C [0!]. For a set 0 of constraints, 
we use [0] to denote For sets of constrains 0 i and 0 2 , we use 0i C 0 2 

to denote that for each 0 2 G 0 2 there is a 0i G 0i with 0i C 0 2 . Notice that 
0i E 02 implies [0 2 ] C [0i]. Sometimes, we identify constraints with their 
interpretations, so we write c G 0, 0 i C 0 2 , 0j n 0 2 , — >0, etc. We consider a par- 
ticular class of ^-constraints which we call upward closed constraints. An upward 
closed constraint is of the form c f, where c G Cb, and has an interpretation 
Ict] = {c1cAc'}. 

A set £ of A-constraints is said to be effective with respect to the game G if 

— The set Cp is characterized by a finite set 0p C (i.e. [0p] = Cp). 

— For a configuration c G Ca and a constraint 0 G I', we can decide whether 
C G [0]. 

— For each 0 G we can compute a finite set 0' of upward closed constraints 
such that [0'] = Pre ([0]). In such a case we use Pre(0) to denote the set 
0'. Notice that Pre ([0]) is upward closed by Lemma 1. Also, observe that 
computability of Pre (0) implies that, for a finite set 0 C !F, we can compute 
a finite set 0' of upward closed constraints such that [0'J = Pre ([0]). 

— For each finite set 0 of upward closed constraints, we can compute a finite 
set 0' C such that [0'] = Pre ([0]). In such a case we use Pre(0) to 
denote the set 0'. 

The game G is said to be effective if there is a set of constraints which is 
effective with respect to G. 

Symbolic Algorithm. Given a constraint system which is effective with 
respect to the game G , we can solve the safety game problem by deriving a sym- 
bolic algorithm from the scheme described above. Each Di will be characterized 
by a finite set of constraints 0, G , and each Ei will be represented by a finite 
set of upward closed constraints 0(. More precisely: 

0o = 0 f 0o = Fre(0 o ) 

0*+i = 0i U Pre(0-) 0' +1 = 0- U Pre(0 i+ i) * = 0,1,2,... 

The algorithm terminates in case 0) C 0)+i- I n such a case, a configuration c is 
not winning if and only if c G [0y ] U [0)]- This gives an effective procedure for 
deciding the safety game problem according to the following 
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— Each step can be performed due to effectiveness of W with respect to G. 

— For a configuration c £ Ca and a constraint (f> € ipi, we can check c £ [</>] 
due to effectiveness of F with respect to G. For a configuration c € Cb and 
a constraint </> £ ip[, we can check c £ [ 0 ] due to decidability of S. 

— For a configuration c and an upward closed constraint <f> = c' f, we can check 
c £ [</>], since S is decidable and since c £ [ 0 ] if and only if d < c. 

— The termination condition can be checked due to decidability of A (which 
implies decidability of C). 

— Termination is guaranteed due to well quasi-ordering of S (which implies 
well quasi-ordering of C). 

From this we get the following 

Theorem 1 . The safety problem is decidable for the class of effective B -down- 
ward closed games. 

5 B-LCS 

In this section, we apply the symbolic algorithm presented in Section 4 to solve 
the safety game problem for B-LCS games: games between two players operating 
on a finite set of channels (unbounded FIFO buffers), where player B is allowed 
to lose any number of messages after each move. 

A B-lossy channel system (B-LCS ) is a tuple (S, Sa, Sb , L, M, T, Sf), where 
S' is a finite set of (control) states, Sa, Sb is a partitioning of S, L is a finite set 
of channels, M is a finite message alphabet, T is a finite set of transitions, and 
Sf O Sa is the set of final states. Each transition in T is a triple (si, op,S2), 
where 

— either si £ Sa and s 2 £ Sb, or si £ Sb and S2 £ Sa- 

— op is of one of the forms: £\m (sending message m to channel £), or £?m 
(receiving message rn from channel £), or nop (not affecting the contents of 
the channels). 

A B-LCS C = (S, Sa, Sb, L, M, T, Sp) induces a .B-downward closed game G = 
(C, Ca, Cb, — >, Cf, S) as follows: 

— Configurations: Each configuration c £ C is a pair ( s,w ), where s £ S, and 
w, called a channel state, is a mapping from L to M* . In other words, a con- 
figuration is defined by the control state and the contents of the channels. We 
partition the set C into Ca — {(s,w) |s £ Sa} and Cb = {(s,tu) | s £ S(b}. 

— Final Configurations: The set Cf is defined to be {(s,w) | s £ Sf}- 

— Ordering: For X\,X2 £ M* , we use X\ S X2 to denote that aq is a (not 
necessarily contiguous) substring of aq. For channel states Wi , vj-2, we use 
wi S W2 to denote that wffl) S W2(£) for each £ £ L. We use (si,izq) S 
(S2, W2) to denote that both si = S2 and w\ S W2- The ordering A is 
decidable and wqo (by Higamn’s Lemma [Hig 52 ]). 
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— Non-loss transitions: (si,u>i) — > (s2,W2) if one of the following conditions 
is satisfied 

• There is a transition in T of the form (si,£lm, S2), and W2 is the result 
of appending m to the end of W\ {£). 

• There is a transition in T of the form ( s\,Ctm , S2 ), and w 1 is the result 
of appending m to the head of W2{£). 

• There is a transition in T of the form (si, nop , S2), and W2 = W\. 

— Loss transitions: If si 6 Sb and (si, wf) — > (s 2 , W2) according to one of the 
previous two rules then (si,wi) — > { s 2i w 2) f° r each (s 2 ,w 2 ) A (52,^2)- 

Remark. To satisfy the condition that there are no deadlock states in games 
induced by R-LCS, we can always add two “winning” states s* £ Sa, S2 € Sb, 
and two “losing” states S3 £ Sa, s| £ Sb, where S3 £ Sf, and s* ^ Sf- We 
add four transitions {s\,nop,s 2 ), (s 2 , nop, s^), (sj, nop, s|), and (s|, nop , S3) . 
Furthermore, we add transitions (s, nop, S4) for each s £ Sa, and (s, nop, s*) for 
each s £ Sb - Intuitively, if player A enters a configuration, where he has no other 
options, then he is forced to move to s| losing the game. A similar reasoning 
holds for player B. 

We show decidability of the safety problem for R-LCS using Theorem 1 . To do 
that we first describe upward closed constraints for R-LCS, and then introduce 
constraints which are effective with respect to R-LCS. We introduce upward 
closed constraints in several steps. First, we define upward closed constraints 
on words, and then generalize them to channel states and configurations. An 
upward-closed constraint over M is of the form X f where X C M* , and has 
an interpretation \X f] = {x\ 3 x' £ X. x' A x}. An upward closed constraint (j) 
over channel states is a mapping from L to upward closed constraints over M, 
with an interpretation [ 0 ] = {w| W £ L. w{t) £ We use w t to denote 

the upward closed constraint <f> over channel states where <j>(£) = w(£) f for each 
£ £ L. An upward closed constraint </> (over configurations) is of the form (s, tp'), 
where s £ S and <j>' is an upward closed constraint over channel states, with an 
interpretation [</>] = {(s, zo) | w £ [</>']}. We use ( s,w ) f to denote the upward 
closed constraint ( s,w f). 

We introduce extended upward-closed constraints which we show to be effec- 
tive with respect to R-LCS games. An extended upward-closed constraint over 
M is of the form x • (f>, where x £ M* and <p is an upward closed constraint 
over M, and has an interpretation {x • (j>\ = {a; • re 7 1 x' £ [</>]}• Extended up- 
ward closed constraints are generalized to channel states and configurations in 
a similar manner to above. 

In the rest of this section we prove the following lemma 
Lemma 4 . Extended upward closed constraints are effective for B-LCS games. 
From Theorem 1 and Lemma 4 we get the following 
Theorem 2. The safety problem is decidable for B-LCS games. 

We devote the rest of this section to the proof of Lemma 4 . This is achieved 
as follows: 
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— The set Cf is characterized by the (finite) set of constraints of the form (s, <p) 
where s £ Sf and <f> is an extended upward closed constraint over channels, 
where cp(£) = e • e f for each £ £ L (notice that [e • e f ] = M*). 

— For a configuration c £ Ca and an extended constraint (p we can check 
whether c £ [ 0 ]. (Lemma 5 ). 

— For each extended upward closed constraint <p, we can compute a finite set 
ip of upward closed constraints, such that ip = Pre(<p) (Lemma 7 ). 

— For each finite set ip \ of upward closed constraints, we can compute a fi- 
nite set ip2 of extended upward closed constraints, such that ip2 = Pre(ip i). 
(Lemma 6). 

For words Xi,X2, we use x\ n X2 to denote the (finite) set of minimal (with 
respect to ^) words X3 such that Xi A X3 and X2 A £3. 

Lemma 5. For a configuration c € Ca and, an extended constraint <f> we can 
check whether c £ [0] . 

Lemma 6. For each finite set ip 1 of upward closed constraints, we can compute 
a finite set ip2 of extended upward closed constraints, such that ip2 = Pre(ip 1). 

Lemma 7. For each extended upward closed constraint <p, we can compute a 
finite set ip of upward closed constraints, such that ip = Pre(cp). 

Remark. Theorem 1 holds also in the case where both players can lose messages. 
In fact, we can show that negation constraints are effective with respect to such 
games. 

6 A-Downward Closed Games 

We present an algorithm for solving the safety problem for A-downward closed 
games. We use the algorithm to prove decidability of the safety problem for a 
variant of lossy channel games, namely A-LCS. 

An A-downward closed game is said to be effective if for each configuration 
c we can compute the set Post(c). Observe that this implies that the game is 
finitely branching. 

Suppose that we want to check whether a configuration Ci n u £ Ca is winning. 
The algorithm builds an AND-OR tree, where each node of the tree is labelled 
with a configuration. OR-nodes are labelled with configurations in Ca, while 
AND-nodes are labelled with configurations in Cb- 

We build the tree successively, starting from the root, which is labelled with 
Cinit (the root is therefore an OR-node). At each step we pick a leaf with label 
c and perform one of the following operations: 

— If c £ Cf then we declare the node unsuccessful and close the node (we will 
not expand the tree further from the node). 

— If c £ Ca, c ^ Cf, and there is a predecessor of the node in the tree with 
label c! where c' A c then we declare the node successful and close the node. 

— Otherwise, we add a set of successors, each labelled with an element in 
Postfc ). This step is possible by the assumption that the game is effective. 
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The procedure terminates by Koning’s Lemma and by well quasi-ordering of 
A. The resulting tree is evaluated interpreting AND-nodes as conjunction, OR- 
nodes as disjunction, successful leaves as the constant true and unsuccessful 
leaves as the constant false. The algorithm answers “yes” if and only if the 
resulting tree evaluates positively. 

Theorem 3. The safety problem is decidable for effective A-downward closed 
games. 

A-LCS An A-LCS has the same syntax as a B-LCS. The game induced by an 
A-LCS has a similar behaviour to that induced by a B- LCS. The difference is 
that in the definition of the loss transitions : 

— If si € Sa and (si,t«i) — > {s 2 ,wffj according to a non-loss transition then 
(si,tci) — > (s' 2 ,w 2 ) for each (s 2 ,w 2 ) A (s 2 ,^ 2 ). 

It is straightforward to check that a game induced by an A-LCS is A-downward 
closed and effective. This gives the following. 

Theorem 4. The safety problem is decidable for A-LCS games. 

Although the safety problem is decidable for A-LCS games, it is not possible 
to give a characterization of the set of winning configurations as we did for B- 
LCS. By a similar reasoning to Lemma 1, the set Pre(~ E t ) is upward closed 
and therefore can be characterized by a finite set of upward closed constraints 
for each i > 0. In turn, the set Uj>o A: can be characterized by a finite set of 
negation constraints. We show that we cannot compute a finite set of negation 
constraints ip such that [')/>] = (J i>0 Di, as follows. 

We reduce an uncomputability result reported in [BM99] for transition sys- 
tems induced by lossy channel systems. The results in [BM99] imply that we can- 
not characterize the set of configurations c satisfying the property c f= 3^0 -■ Sp, 
i.e., we cannot characterize the set of configurations from which there is an in- 
finite computation which never visits a given set Sf of control states. Given a 
lossy channel system C (inducing a transition system) and a set Sf of states, we 
derive an A-LCS C (inducing an A-downward closed game). For each configu- 
ration c in C, it is the case that c |= docd-iSp if and only if the configuration 
corresponding to c is winning in the game induced by CJ . Intuitively, player A 
simulates the transitions of C, while player B follows passively. More precisely, 
each state s in C has a copy s £ Ca in C . For each transition t = (si, op, S 2 ) in 
C, there is a corresponding “intermediate state” St € Cb and two corresponding 
transitions (si,op,s t ) and (. St,nop,s 2 ) in C . Furthermore, we have two state 

€ Ca and s 2 £ Cb which are losing (defined in a similar manner to Sec- 
tion 5). Each configuration in Ca can perform a transition labelled with nop to 
S 2 - It is straightforward to check that a configuration c is winning in C if and 
only if c |= BoqD-i F. 

From this, we get the following: 

Theorem 5. We cannot compute a finite set of negation constraints character- 
izing the set of non-winning configurations in an A-LCS (although such a set 
always exists). 
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7 Undecidability of Monotonic Games 

We show that the decidability of the safety problem does not extend from down- 
ward closed games to monotonic games. We show undecidability of the problem 
for a particular class of monotonic games, namely VASS games. In the definition 
of VASS games below, both players are assumed to have monotonic behaviours. 
Obviously, this implies undecidability for A- and B-monotonic games. 

In fact, it is sufficient to consider VASS with two dimensions (two variables). 
Let M and X denote the set of natural numbers and integers respectively. 

VASS Games A (2- dimensional) VASS (Vector Addition System with States) 
game V is a tuple (S, Sa, Sb,T, Sf), where S' is a finite set of (control) states, 
Sa,Sb is a partitioning of S, T is a finite set of transitions , and Sf V S is the 
set of final states. Each transition is a triple (si, (a, b) , S2), where 

- either si £ Sa and s 2 £ Sb, or si £ Sb and S2 £ Sa- 

- a,b £X. The pair (a, b) represents the change made to values of the variables 
during the transition. 

A VASS V = (S, Sa, Sb,T, Sf) induces a monotonic game G = ( C,Ca , 
Cb, — >, Cf, S) as follows: 

- Each configuration c £ C is a triple ( s,x,y ), where s £ S and x,y £ A f. In 
other words, a configuration is defined by the state and the values assigned 
to the variables. 

- C A = {( s,x,y ) | s £ S A }- 

- C B = {(s, x, y)\ s £ S B }- 

- (si, £1,2/1) — > ( S2,X2,yi ) iff (si, (a, b) , s 2 ) £ T, and £2 = £1 + a, and 
2/2 = 2/1 + b. Observe that since £2,2/2 £ A/”, we implicitly require £2 > 0 and 
y -2 > 0; otherwise the transition is blocked. 

- C F = {( s,x,y ) | s £ Sf}. 

- (Si, £1,2/1) ^ (S2, X 2 , 2/2) iff Si = S 2 , £1 < £2, and y 1 < y 2 - 

We can avoid deadlock in VASS games in a similar manner to Section 5. 

Theorem 6. The safety problem is undecidable for VASS games. 

Undecidability is shown through a reduction from an undecidable problem 
for 2-counter machines. 

2-Counter Machines. A 2-counter machine M is a tuple (Sm, Tm ), where Sm 
is a finite set of states, and Tm is a finite set of transitions. Each transition is 
a triple of the form (si,(a,b) ,s 2), or (si,£ = 0?,S2), or (s\,y = 0?,S2), where 
si, S2 £ Sm ■ 

A configuration of M is a triple ( s,x,y ) where s £ Sm and x,y £ A f. 
We define a transition relation — > on configurations such that (si, £1,2/1) — > 
(s 2, £2, 2/2) iff either 

- (si, (a, b) , s 2 ) £ T m , and £2 = £1 + a, and 2/2 = 2/i + b\ or 
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— (si, x = 0?, s 2 ) G T m and x 2 = x\ = 0, and y 2 = yi‘, or 

— (si,y = 0?, s 2 ) G T m and x 2 = x 1} and y 2 = y 1 = 0. 

The 2-counter reachability problem is defined as follows 

2-counter reachability problem 

Instance. A 2-counter machine M = (, Sm,T m ) and two states s init ,Sf G Sm- 
Question. Is there a sequence 

(so,x 0 ,y 0 ) — > (si,a;i,j/i ) — > (s 2 ,x 2 ,y 2 ) — > ••• — > (s n ,x n ,y n ) 

of transitions such that so = Simt, xq = 0, yo = 0, and s n = Sfl 

It is well-known that the 2-counter reachability problem is undecidable. In 
the following, we show how to reduce the 2-counter reachability problem to the 
safety problem for VASS games. Given a 2-counter machine M = ( Sm,T m ) and 
two states s inlt , s f G Sm, we construct a corresponding VASS game, such that 
the reachability problem has a positive answer if and only if the game problem 
has a negative answer. Intuitively, player B emulates the moves of the 2-counter 
machine, while player A is passive. Tests for equality with 0 cannot be emulated 
directly by a VASS system. This means that player B could try to make moves 
not corresponding to an actual move of the 2-counter machine. However, if player 
B tries to “cheat”, i.e. make a forbidden move, then we allow player A to go 
into a winning escape loop. This means that player B always chooses to make 
legal moves. Furthermore, we add an escape loop accessible when the system has 
reached the final state. This loop is winning for player B. Thus, player B wins 
whenever the final state is reachable. More formally, we define the VASS game 
V = (S, Sa, Sb,T, Sf) as follows: 

— S A = {sf | t G T m } U {s?,sf eached ,sf nit }. In other words, for each tran- 
sition t G Tm there is a state sf G S A . We also add three special states 

S * ^reached and S tmt to S A- 

— Sb = {s B \ s £ Sm} U {sf }. In other words, for each state in s G Sm there 
is a corresponding state s B G Sb ■ We also add a special state sf to Sb- 

— For each transition t of the form (si, (a, b) , s 2 ) G Tm, there are two transi- 
tions in T, namely (sf, (a,b ) , sf ) and (sf, (0,0) , sf). Player B chooses a 
move, and player A follows passively. 

— For each transition t of the form (si, x = 0?, s 2 ) G Tm, there are three tran- 
sitions in T, namely (sf , (0, 0) , sf ) , (sf , (0, 0) , sf ) , and (sf , (-1, 0) , sf ) . 
Player B may cheat here. However, if this is the case, player A will be allowed 
to move to sf , which is winning. 

— Transitions of the form (si, y = 0?, s 2 ) G Tm are handled in a similar manner 
to the previous case. 

— There are five additional transitions in T, namely an initializing transition 
( s init> 0) , s fnii) i an escape loop to detect that the final state has been 

reached (sf , (0, 0) , sf eacfted ) and (sf eac/ied , (0,0) , sf); a loop to detect il- 
legal moves (sf , (0, 0) , sf ) and (sf , (0, 0) , sf ) . 

{ $ reached , } ’ 
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Let G = ( C , Ca , Cb, — >, Cf , A) be the monotonic game induced by V. We show 
that there is a sequence 

(s 0 , £0,2/0) — > (si, £1,2/1) — > (s 2 ,£2,2/2) — > ••• — > (sn,£n,2/n) of tran- 
sitions in M with s 0 = Smit, £0 = 0, z/o = 0, and s n = Sf iff the configuration 
(sW t , 0,0) is not winning in G. 

8 Parity Games 

A parity game G of degree n is a tuple ( C , CU, Cb, — >, r) where C, Ca , Cb, — » 
are defined as in games (Section 2), and r is a mapping from C to the set 
{0 , . . . , n} of natural numbers. We use C k to denote (c| r(c) = k}. The sets C\ 
and Cg are defined in a similar manner. We call r(c) the rank of c. Abusing no- 
tation, we define the rank r{P) of a play P = Co, Ci, C2, • ■ • to be min{r(co), r(ci), 
r(c2) • • ■}■ We say that P is parity winning if r(P) is even. We say that c is parity 
winning if there is an A-strategy a a such that, for each J3-strategy ctb, it is the 
case that P(c, a a, <Jb) is parity winning. 

The parity problem 

Instance. A parity game G and a configuration c in G. 

Question. Is c (parity) winning? 

Remark. Notice that our definition of parity games considers parity of config- 
urations which appear in the play, rather than the configurations which appear 
infinitely often (which is the standard definition). Our undecidability result can 
be extended for the latter case, too. 

We show below that the parity problem is undecidable for A-downward closed 
games. In particular, we show undecidability of the problem for A-LCS games. 
The proof for P-downward closed games is similar. 

Theorem 7. The parity problem is undecidable for A-LCS games. 

In [AJ96a] we show undecidability of the recurrent state problem, for transi- 
tion systems based on lossy channel systems. 

Recurrent State Problem 

Instance. A lossy channel systems C and a control states Sinn- 

Question. Is there a channel state w such that there is an infinite computation 

starting from {s init ,w)l 

We reduce the recurrent state problem for LCS to the parity problem for A- 
LCS. We construct a new C to simulate C. Intuitively, we let player A choose the 
moves of the original system, while player B follows passively. An additional loop 
at the beginning of £' allows us to guess the initial contents w of the channels. 
If the system deadlocks, then player B wins. So the only way for player A to 
win is to make the system follow an infinite sequence of moves. More formally, 
C = (S, Sa , Sb,L, M, T, Sp) is defined as follows. For each control state s in £, 
we create a control state s A £ S a- For each transition t in £, we create a control 
state sf £ Sb • For each transition t = (si, op,S2) in C there are two transitions 
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(sf, op, sf) and (sf, nop , s^) in C! . Furthermore, there are five additional states 
s*, sj £ Sa, s -25 , S 3 , , S 5 £ Sb, together with the following transitions: 

— Two transitions (s*, £\m, s?i) and nop, si) for each m £ M and t £ L. 
These two allow to build up the initial channel contents. 

— Two transitions (sj, nop, S 3 ) and (s^, nop, sf nit ) . This is to get to the initial 
state of C when the channel content is ready. 

— A transition ( s A ,nop,s 5 ) for each control state s in C. This transition is 
only taken when C is deadlocked. 

— Two transitions (s|, nop, s|), and (si?, nop, s|). This loop indicates a deadlock 
in C. 

The ranks of the configurations are defined as follows: 

— r ((s*, w)) = r ((sj, w )) = r ((S 3 , w )) = 3, for each w. 

— r ((s^jtu)) = r ((sf ,ru)) = 2, for each w, each transition t in C, and each 
control state s in C. 

— r ((s|, w)) = r ((si?, w)) = 1 , for each w. 

We show that (s^ , e) is parity- winning if and only if there exists a w and an 
infinite sequence starting from ( Si n it,w ). 

Remarks. 

— In case both players can lose messages, we can show that the parity problem 
is decidable. The reason is that the best strategy for each player is to empty 
the channels after the next move. The problem can therefore be reduced into 
an equivalent problem over finite-state graphs. 

— Using results in [MayOO], we can strengthen Theorem 7, showing undecid- 
ability for A-VASS (and I3-VASS) games. Such games are special cases of the 
ones reported here where the message alphabet is of size one (each channel 
behaves as a lossy counter). 
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Abstract. This article discusses the relations between the step-wise de- 
velopment through refinement and the design of test-cases. It turns out 
that a commuting diagram inspired by the V-process model is able to 
clarify the issues involved. This V-diagram defines the dependencies of 
specifications, implementations and test-cases in the category of con- 
tracts. The objects in this category are contracts defined in the formalism 
of the refinement calculus. The maps are the refinement steps between 
these objects. Our framework is able to define the correctness notion 
of test-cases, testing strategies as refinement rules, and which test-cases 
should be added under refinement. 

Keywords: formal methods, specification-based testing, refinement, re- 
finement calculus, contracts. 



1 Introduction 

The synergy of formal methods and testing has become a popular area of re- 
search. In the last years, test-generation tools have been invented for almost 
every popular specification language. One reason is the industry’s demand to 
cut the efforts of software testing. Another is the academics’ insight that test- 
ing is complementary to proving the correctness of a program (see e.g. Hoare’s 
comments on testing in [8]). 

However, only little research has been put into the question how the related 
development techniques such as refinement contribute to testing. Our current 
research addresses this open issue. In our previous work we have demonstrated 
that test design can be viewed as a reverse program synthesis problem of finding 
adequate abstractions [1] . The consequence of this insight is that we are able to 
define test-case synthesis rules in order to calculate correct test-cases from spec- 
ifications. The mathematical framework in our work is the refinement calculus 
of Back and von Wright [6] including a simple but powerful contract language. 

Our general approach is able to cover rather different test-selection techniques 
like domain partitioning [3] , interactive scenario selection [2] , and mutation test- 
ing [4] . These previous work demonstrated that a test-case selection strategy can 
be represented by means of formal synthesis rules that define how specifications 
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should be changed into test-cases. This approach in inspired by the refinement 
calculus where refinement rules define correctness preserving development steps. 
The difference is that our rules represent the derivation of test-cases by means 
of abstraction steps. 

In this paper we focus on the question: “Which new test-cases are needed if 
we refine a specification or implementation?”. In order to give a scientific answer, 
the role of testing and step-wise development has to be clarified. This can be 
done using a simple diagram (Figure 1) to which we give a precise mathematical 
semantics. 



/-i 

Ci ± Ti 




Fig. 1 . The V-Diagram. 



The V-diagram is inspired by the V process model, a derivative of the water- 
fall model where the development phases are explicitly linked to testing. Both 
visualizations stress the importance of testing. The left-hand side of the V in 
Figure 1 represents the step-wise development of a specification Ci into an im- 
plementation C n . In the following Ci to C n are called contracts representing 
commitments on different levels of abstractions. All the arrows in the diagram 
denote refinement. On the right-hand side of the V, the corresponding test-cases 
are shown. The test-cases are refined in accordance with the contracts. In our 
view of test-cases, contract Ci must be a refinement of its test-cases Ti. Con- 
sequently, test-cases can be viewed as a special form of specification. During 
discussions we have found that not too many colleagues are aware of this fact. 

The formal refinement relation between test-cases Ti and a contract Ci can 
be interpreted in two directions: 

— test-cases as specifications: if test-cases are given, an implementation or for- 
mal specification must be a correct refinement of the intended test-cases. 

— test- synthesis as an abstraction problem: As a refinement calculus is a tech- 
nique to derive correct implementations from a specification by following 
correctness preserving refinement rules, dual abstraction rules can be used 
to calculate test-cases. The names of the refinement arrows t~ l in Figure 1 
should indicate this reverse process of abstraction. 
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In the following sections we will discuss this diagram and its consequences in 
more detail. Section 2 presents the mathematical interpretation of the V-diagram 
as a commuting diagram in the category of contracts. Section 3 briefly introduces 
the notions of contracts and refinements in the refinement calculus. This section 
covers the left-hand side of the V. Next, Section 4 shows that different kinds of 
test-cases are in fact abstractions of formal specifications. Section 5 presents a 
main contribution of this paper: properties for new test-cases under refinement. 
In Section 6 an example serves to illustrate these findings. Finally, we draw our 
conclusions in Section 7. 



2 A Formal Interpretation of the V-Diagram 



The explanations of the V-Diagram have been informal so far. We neither gave 
a definition of contracts, nor a definition of refinement. These definitions will be 
provided in Section 3. However, taking a category theoretic view on Figure 1 
reveals interesting properties without a detailed knowledge of the refinement 
calculus. 

A category C is an algebraic structure consisting of a class of objects and 
a class of maps 1 . Each map /, has one object A as domain and one object B 
as codomain , denoted A — — ► B. For each object A an identity map A — — ► A 

exists. Furthermore, composition A A C is defined on maps. In a category 

the identity laws Is o / = / and / o 1a = f hold and composition is associative: 
(hog)of = ho(gof). 

It can be easily seen that contracts form such a category, here called Con. 
The objects in Con are contracts formulated in the contract language of the 
refinement calculus (see Section 3). A map A — A- B in Con is a refinement 
step of A into B. We write A \Z B for B being a refinement of A. The iden- 
tity refinement A = B exists as well as composition of refinements which is 
associative. 

In category theory equalities can be easily described by means of commuting 
diagrams. For example, the identity law lg o / = / can be expressed via the 
following commuting diagram: 



B 




Consequently, by interpreting Figure 1 as a diagram in the category Con, 
several properties can be derived. 

The commutations in the V-diagram represent n — 1 equations for 1 < i < n: 



' ° 1 = *i+i 



o r. t 



This equation implies that given two sets of test-cases, 7j for a contract Ci and 
T i+ i for a refined contract C( + i such that Ci C C, + i, then test-cases T i+ 1 must 



1 We use the terminology of [9]. 
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be a refinement of X) or T) C T,+i. This means that under refinement the test- 
cases have to be refined as well. What this refinement looks like will be discussed 
in Section 5. 

Since composition exists we know that step-wise refinement preserves refine- 
ment. For example, if we extend C point-wise to maps, then C\ jZ C- n can be 
expressed as 

lCx E 'I'n-l ° • • • o r! o rj 
The same holds for refining test-cases, e.g.: 

Itx E o • • • o r\ o r\ 

As a consequence even more similar equations relating the several refinements 
on different levels of abstraction can be derived. All these properties are captured 
in the V-diagram. 



3 Refining Contracts: C — ► C' 

3.1 Contracts 

The prerequisite for testing is some form of contract between the user and the 
provider of a system that specifies what it is supposed to do. In case of system- 
level testing usually user and software requirement documents define the con- 
tract. Formal methods propose mathematics to define such a contract unam- 
biguously and soundly. In the following the formal contract language of Back 
and von Wright [6] is used. It is a generalization of the conventional pre- and 
post-condition style of formal specifications known from VDM, B and Z. The 
foundation of this refinement calculus is based on lattice-theory and classical 
higher-order logic (HOL). 

A system is modeled by a global state space £. A single state x in this 
state space is denoted by x : £. Functionality is either expressed by functional 
state transformers f or relational updates R. A state transformer is a function 
/ : £ — > T mapping a state space £ to the same or another state space X. 

A relational update R : £ — ► (X — » Bool) specifies a state change by relating 
a state before (a : £) with a state after execution (7 : r). In HOL, relations 
are modeled by functions mapping the states to Boolean valued predicates. For 
convenience, a relational assignment (a: := x’\b ) is available and generalizes as- 
signment statements. It sets a state variable 1 to a new state x' such that b , 
relating x and x' , holds. 

The language further distinguishes between the responsibilities of commu- 
nicating agents in a contract. Here, the contract models the viewpoint of one 
agent called the angel who interacts with the rest of the system called the de- 
mon. In our work following [6,5], the user is considered the angel and the system 
under test the demon. Relational contract statements denoted by {R} express 
relational updates under control of the angel (user). Relational updates of the 
demon are denoted by [i?] and express updates that are non-deterministic from 
the angel’s point of view. Usually, we take the viewpoint of the angel. 
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The contract statement (/) denotes a functional update of the state deter- 
mined by a state transformer /. There is no choice involved here, neither for the 
angel nor the demon agent, since there is only one possible next state for a given 
state. 

Two contracts can be combined by sequential composition C'i ; Ci or choice 
operators. The angelic choice C\ U C 2 and the demonic choice C\ n C 2 define non- 
deterministic choice of the angel or demon between two contracts C\ and C 2 . 
Furthermore, predicate assertions {p} and assumptions [p] define conditions the 
angel, respectively the demon, must satisfy. In this language of contract state- 
ments {p}; (/) denotes partial functions and {p}; [R] pre-postcondition speci- 
fications. Furthermore, recursive contracts defined by means of least (p) and 
greatest fix-point operators (V) may express several patterns of iteration. 

The core contract language used in this work can be summarized by the 
following BNF grammar, where p is a condition and R a relation over states. 

C := {p} \ [p\ \ {R} \ [R] \ C-,C \ C U C \ C \1 C \ pX ■ C 

As needed, we will extend this core language by our own contract state- 
ments. However, all new statements will be defined by means of the above core 
language. Thus, our language extensions are conservative. This means that no 
inconsistencies into the theory of the refinement calculus are introduced by our 
new definitions. 

3.2 Example Contracts 

A few simple examples should illustrate the contract language. The following 
contract is a pre- postcondition specification of a square root algorithm: 

{a: > 0 A e > 0}; [x := x'\ — e < x — x ' 2 < e] 

The precondition is an assertion about an input variable x and a precision 
e. A relational assignment expresses the demonic update of the variable x to its 
new value x' . Thus, the contract is breached unless x > 0 A e > 0 holds in the 
state initially. If this condition is true, then x is assigned some value x' for which 
—e<x — x' 2 <e holds. 

Consider the following version of the square root contract that uses both 
kinds of non-determinism: 

{x, e := x' , e'\x' > 0 A e' > 0}; [x := x'\ — e < x — x' 2 < e] 

In this contract the interaction of two agents is specified explicitly. This 
contract requires that our agent, called the angel, first chooses new values for 
x and e. Then the other agent, the demon, is given the task of computing the 
square-root in the variable x. 

The following example should demonstrate that programming constructs can 
be defined by means of the basic contract statements. A conditional statement 
can be defined by an angelic choice as follows: 

if P then Si else S 2 fi = {P}; Si U {^P}; S 2 
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Thus, the angel agent can choose between two alternatives. The agent will, 
however, always choose only one of these, the one for which the assertion is 
true, because choosing the alternative where the guard is false would breach the 
contract. Hence, the agent does not have a real choice if he wants to satisfy the 
contract 2 . 

Iteration can be specified by recursive contracts (pX ■ C) . Here X is a variable 
that ranges over contract statements, while (pX ■ C) is the contract statement 
C, where each occurrence of X in C is interpreted as a recursive invocation of 
the contract C. For example, the standard while loop is defined as follows: 

while g do S od = (pX • if g then S; X else skip fi) 

We write skip = (id) for the action that applies the identity function to the 
present state. 



3.3 Semantics 



The semantics of the contract statements is defined by weakest precondition 
predicate transformers. A predicate transformer C : (T — > Bool) —>(£—)■ Bool) 
is a function mapping postcondition predicates to precondition predicates. The 
set of all predicate transformers from S to T is denoted by S H > r = (r — >■ 
Bool) — > (E — > Bool). 

The different roles of the angel and the demon are reflected in the following 
weakest-precondition semantics. Here q denotes a postcondition predicate and 
a a particular state, p is an arbitrary predicate, and R a relation. The weakest- 
precondition predicate transfmore is denoted by wp. The notation f.x is used 
for function application instead of the more common form f(x). 



wp.{p}.q 
wp \p\-q 
wp.{i?}.< 7 .er 
wp.[R].q.cr 
wp.(C 1 ;C 2 ).q 
wp.(Ci U C 2 ).q 
wp.(Ci n C 2 ).q 



= p fl q ( assertion ) 

= ->p U q ( assumption ) 

= (3 7 € r . R.a . 7 A q.j) ( angelic update ) 

= (V 7 £ r . R.c r-7 => q.j) (demonic update ) 

= C\.(C 2 -q) (sequential composition) 

= Ci.qL\C 2 -q (angelic choice) 

= Ci.qC\C 2 .q (demonic choice) 



In this semantics, the breaching of a contract by our angel agent, means 
that the weakest-precondition is false. If a demon agent breaches a contract, 
the weakest-precondition is trivially true. The semantics of the specification con- 
structs above can be interpreted as follows: 



— The weakest precondition semantics of an assertion contract reflects the fact 
that, if the final state of the contract should satisfy the post-condition q , 
then in addition the assertion predicate p must hold. It can be seen that 
the global state is not changed by an assertion statement. Consequently, the 
angel breaches this contract if p fl q evaluates to false. 

2 An alternative definition can be given by demonic choice. 
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— The semantics of an assumption shows that the demon is responsible for 
satisfying an assumption predicate p. If the assumption does not hold, the 
demon breaches the contract and the angel is released from the contract. In 
this case, the weakest-precondition trivially evaluates to true. 

— The angelic update definition says that a final state 7 must exist in the 
relation R , such that the postcondition q holds. The existential quantifier 
in the weakest-precondition shows that the angel has control of this update. 
The angel can satisfy the contract, as long as one update exists that satisfies 
the postcondition. In the set notation this update is defined as vjp.{R}.q.a = 
R.a fl q yf 0. 

— This is in contrast to the definition of the demonic update. Here, all possible 
final states 7 have to satisfy the postcondition. The reason is that the de- 
monic update is out of our control. It is not known, to which of the possible 
states, described by the relation i?, the state variables will be set. In the set 
notation this update is defined as wp.[R].q.a = R.a C q. 

— The weakest-precondition of two sequentially combined contracts is defined 
by the composition of the two weakest-preconditions. 

— The angelic choice definition shows that the weakest-precondition is the 
union of the weakest-precondition of the two contracts. Thus, a further choice 
of the angel further weakens the weakest-preconditions. 

— The demonic choice is defined as the intersection of the weakest-precon- 
ditions of the two contracts. Thus, demonic choice represents a strengthening 
of the weakest-preconditions. 

For further details of the predicate transformer semantics, we refer the reader 
to [6]. 

3.4 Refinement and Abstraction 

The notion of contracts includes specification statements as well as programming 
statements. More complicated specification statements as well as programming 
statements can be defined by the basic contract statements presented above. The 
refinement calculus provides a synthesis method for refining specification state- 
ments into programming statements that can be executed by the target system. 
The refinement rules of the calculus ensure by construction that a program is 
correct with respect to its specification. 

Formally, refinement of a contract C by C", written (7 C C', is defined by 
the point-wise extension of the subset ordering on predicates: For r being the 
after state space of the contracts, we have 

C E c' = Vqe{r^ Bool) • C.q c C'.q 

This ordering relation defines a lattice of predicate transformers (contracts) 
with the lattice operators meet n and join U. The top element T is magic. q = 
true, a statement that is not implementable since it can magically establish every 
postcondition. The bottom element _L of the lattice is abort. q = false defining 
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the notion of abortion. The choice operators and negation of contracts are defined 
by point-wise extension of the corresponding operations on predicates. A large 
collection of refinement rules can be found in [6,10]. 

Abstraction is dual to refinement. If C C C', we can interchangeably say C 
is an abstraction of C" . In order to emphasize rather the search for abstractions 
than for refinements, we write C □ C' to express C' is an abstraction of C . 
Trivially, abstraction can be defined as: 

C □ C" = C' QC 

Hence, abstraction is defined as the reverse of refinement. The reader should 
keep this technical definition of abstraction in mind when we identify test-cases 
being abstractions in the following section. 



t -1 

4 Test-Cases through Abstraction: T *■ C 

In the following we will demonstrate that test-cases are in fact contracts — highly 
abstract contracts. To keep our discussion simple, we do not consider parame- 
terized procedures, but only global state manipulations. In [6] it is shown how 
procedures can be defined in the contract language. Consequently, our approach 
scales up to procedure calls. 



4.1 Input-Output Tests 

The simplest form of test-cases are pairs of input i and output o data. We can 
define such an input-output test-case TC as a contract between the user and the 
unit under test: 

TC i o = {x = *}; [y := y'\y' = o] 

Intuitively, the contract states that if the user provides input i, the state will 
be updated such that it equals o. Here, x is the input variable and y the output 
variable. 

In fact, such a TC is a formal pre-postcondition specification solely defined for 
a single input i. This demonstrates that a collection of n input-output test-cases 
TCs are indeed point-wise defined formal specifications: 

TCs = TC h Or U . . . U TC i n o n 

Moreover, such test-cases are abstractions of general specifications, if the spec- 
ification is deterministic for the input- value of the test-case, as the following 
theorem shows. 

Theorem 1. Let p : S — > Bool be a predicate, Q : £ — > T — > Bool a relation 
on states, and TC i o a test-case, where all state variables (the whole state) are 
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observable and not just a designated input variable x and an output variable y 3 . 
Thus, input i : £ and output o : T. Then 



{p}; [Q] 3 TC i o = p.i A ( Q.i = o ) 



□ 



The intuition behind Theorem 1 is that input-output test-cases can be viewed 
as pre-postcondition specifications with a special pre-condition restricting the 
input to a single test-value. If the specification is deterministic for the given 
input, a derived test-case is an abstraction of this specification. Note that in the 
case of non-deterministic specifications a form of non-deterministic test-cases are 
needed, as has been shown in [2]. 

Furthermore, the selection of certain test-cases out of a collection of test-cases 
can be considered an abstraction: 

Corollary 1. 

TC i\ Oi U . . . U TC i n o n □ TC ik o j- 

for all k, 1 < k < n. 

Proof. The theorem is valid by definition of the join operator a\Jb □ a or a\Jb □ b, 
respectively. □ 

The fact that test-cases are indeed formal specifications and, as Theorem 1 
shows, abstractions of more general contracts shows an aspect of why test-cases 
are so popular: First, they are abstract in the technical sense, and thus easy to 
understand. Second, they are formal and thus unambiguous. 

Here, only the commonly used pre-postcondition contracts have been con- 
sidered. They are a normal form for all contracts not involving angelic actions. 
This means that arbitrary contracts excluding U and {!?} can be formulated 
in a pre-postcondition style (see Theorem 26.4 in [6]). However, our result that 
test-cases are abstractions holds for general contract statements involving user 
interaction. We refer to [2,1] where we have demonstrated that even sequences of 
interactive test-cases, so called scenarios, are abstractions of interactive system 
specifications. In the same work we have shown how test-synthesis rules can be 
formulated for deriving test-partitions or scenarios. 



5 Refining Test-Cases: T — — ► T' 

5.1 Defining the Problem 

In the previous sections it has been demonstrated that test-cases are abstractions 
of specification or implementation contracts. If contracts are refined towards an 
implementation, the test-cases can be refined accordingly in order to test the 
correctness of the chosen refinement steps. 

3 The slightly more complex case of partly observable states including proofs can be 
found in [2] 
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However, the refinement relation C alone is a too weak criterion in order 
to design new test-cases. For example, the relation C includes the equality of 
contracts =. This means that the same test-cases could be used for the re- 
fined contract. Note that in this case the V-diagram still commutes, but that 
» It 

T ► T = T ► T. More useful criteria for designing new test-cases are 

needed. 

The problem of finding new test-cases can be formulated as follows: 

Theorem 2. Given a contract C and its refinement C . Furthermore, it is as- 
sumed that test-cases T for C have been correctly designed, thus C □ T. Then 
the refined test-cases T' for testing C' have the general form 

T' = (TUT' ) 

V 1 - 1 - new J 

for arbitrary new test-cases T' new such that C □ T' new . 

Proof. It must be shown that ( T U T' new ) is a refinement of T and that they are 
test-cases of C', thus TC(T U T' new ) and C' □ (T U T' new ) must hold. 

The first property T C (T U T' new ) holds for any T' new by definition of the 
join operator U in the lattice of contracts. 

Similarly, by the definition of U, the second property C' □ (T U T' new ) holds 
iff C' □ T and C' □ Tf ew . Trivially, C' □ T' n ew is a premise. C" □ T follows 
from the facts that C' is a refinement of C, thus C' □ C, and that T are correct 
test-cases designed for C, thus C □ T holds. 

This proves that the diagram commutes for refined test-cases (T U T' new ). □ 

Theorem 2 shows that the problem of finding test-cases for a refined specifica- 
tion can be reduced to the question of finding additional new test-cases. However, 
not all new test-cases are useful. In order to be economical, they should cover 
the newly added parts or properties of the refined contract C' . 

5.2 Abstract Contracts as Mutations 

A main contribution of this paper is the insight that the problem of finding useful 
test-cases T' new can be mapped to the author’s approach to mutation testing [4]. 

In analogy to program mutation in the traditional approaches of mutation 
testing, in contract-based mutation testing introduced in [4] we produce a mutant 
contract by introducing small changes to the formal contract definition. Then we 
select test-cases that are able to detect the introduced mutations. What kind of 
changes to be introduced is lreuristically defined by a set of mutation operators 
that take a contract and produce its mutated version. However, not all mutants 
are useful: 

Definition 1. (useful mutant) A useful mutant of a contract C is a mutated 
contract Ci such that there exists a test-case TCi C C that is able to distinguish 
an implementation of Ci from an implementation of C. □ 



Theorem 3. A mutant Ci of a contract C is a useful mutant iff C % Ci. □ 
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In [4] we pointed out that abstract mutants Ci C C are useful. Furthermore we 
defined adequate test-cases for mutation testing: 

Definition 2. (adequate test-case) A test-case for a contract C is called ad- 
equate with respect to a set of mutation operators M if it is able to distinguish 
at least one useful mutant Mi, with m.C = Mi and m £ M. □ 

Here, in our quest for useful new test-cases T' new for a contract C and C C C' , 
we consider Casa useful mutant. Then T' new should be adequate test-cases that 
are able to distinguish the abstract mutant from its refinement. 

Thus the criterion for useful new test-cases is an adaptation of the abstraction 
rule for deriving mutation test-cases (Theorem 12 in [4]): 

Theorem 4. Given a contract C and its refinement C' . Furthermore, test-cases 
T for C have been previously designed following some selection strategy. Then 
the refined test-cases T' for testing C' have the general form 

T' = (TUT' ) 

i_i J- new ) 



and 



C' □ T' new A C 2 T' new 

Alternatively an abstraction rule for producing useful new test-cases can be for- 
mulated as follows: 



CUC',CUT 
Cut' gut' 

v - / — ^ new i w i=- -‘-new 



C'U t TUTf ew 



□ 



It can be seen that C 2 Tf ew is the central property for adding new test-cases 
that are able to distinguish between contract C and its refinement C or between 
their implementations, respectively. An example serves to illustrate this. 



6 Example 

Assume that we want to find an index i pointing to the smallest element in an 
array A[l..n], where n = len.A is the length of the array and 1 < n (so the array 
is nonempty). 

We define the predicate minat.i.A to hold when the minimum value in A is 
found at A[i}. 

minat.i.A = 1 <i < len.A A (Vj | 1 < j < len.A . A[i] < A[j\) 

Then the contract 

MIN = {1 < len.A}- [i := i! \ minat.i! .A] 
constitutes the problem of finding an index i with the minimum A[i] in A. 
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In this example only input-output test-cases are considered. We define 
TC i o = {A = i}; [i := i'\i' = o\ to be the corresponding deterministic 
test-case contracts with the input array A and the output index i containing the 
minimum of the array. 

Assume the following test-cases for Ad IN have been designed: 

Ti = TC [2,1,3] 2 

T 2 4 TC [2,3,1] 3 
T 3 4 TC [1,2,3] 1 

In [4] it is shown how these test-cases are derived by following a mutation testing 
strategy. Note that only deterministic test-cases are used, although the specifi- 
cation is non-deterministic. We have to add a non-deterministic test-case with 
two possipble outputs 



Ti= TC [1,1,3] (* = 1 V i = 2) 

in order to obtain sufficient coverage with respect to mutation testing. 

Next, consider the following implementation (refinement) of MIN using a 
guarded iteration statement: 

MIN C MIN' = begin var k := 2; i := 1; 

do k < n A A[k] < A[i] — >• i,k := k, k + 1 
[] k < n A A[k] > A[i] — >• k := k + 1 

od 

end 

What test-cases should be added in order to test the refinement? The rule in 
Theorem 4 points us to the answer, since a correct test-case of MIN' should 
be found that is not an abstraction of MIN . It is straightforward to reconsider 
the non-deterministic test-case, since the implementation Ad IN' is deterministic. 
Hence, new test-cases should be able to distinguish the deterministic from the 
non-deterministic version (mutant): 

T new = TC [1,1,3] 1 

is such a useful test-case. Our framework actually allows us to prove this fact by 
showing that MIN' □ T new and MIN )Z) T ne w 

7 Conclusion 

Summary. In this article we have presented a unified view on testing and refine- 
ment. First, category theory has been used to analyze the relations of testing 
and refinement on a high-level of abstraction. A commuting diagram was able 
to capture the essential properties. Then, the refinement calculus was used to 
take a closer look at this diagram. Refinement and abstraction have been defined 
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formally. It has been shown that test-cases are in fact abstract contracts of spec- 
ifications or implementations. Finally, the novel framework was able to answer 
the question “Which new test-cases are needed if we refine a specification or im- 
plementation?” A new formal inference rule for assessing new test-cases under 
refinement has been provided. 

Related Work. To our current knowledge no other work has been published that 
uses a refinement calculus for deriving test-cases. Stepney was the first who 
made the abstraction relation between test-cases and object-oriented Z specifi- 
cations explicitly [12]. Her group developed a tool for interactively calculating 
partition abstractions and to structure them for reuse. Our work can be seen as 
an extension of this view on testing. We are happy to see that recently other 
colleagues seem to pick up our ideas and transfer the results to other frameworks 
and application domains like modal logics and security [11]. 

Derrick and Boiten looked at testing refinements in state-based Z-specifica- 
tions [7]. We assume that our framework can express the properties they have 
collected for refining this kind of specifications. This is part of future work . 

Discussion. Our approach to testing is a novel unification of the area of testing 
and formal methods in several senses: First, test-cases are considered as a spe- 
cial form of specifications or contracts. Next, program synthesis techniques, like 
the refinement calculus can be applied to test-synthesis — it is just abstraction. 
Finally, the notion of refinement is sufficient to clarify the relations of testing 
and step-wise development — it forms a category of contracts. The work pre- 
sented demonstrates that such a unification leads to simpler theories and to a 
better understanding of the different test-approaches available. In this paper, for 
example, we have found a scientifically defensible formula for which test-case to 
be added under refinement. 

Here, we did not address the important issue of test coverage explicitly, but 
have given a rule for calculating test-cases for refinements. In our previous papers 
we have given abstraction rules for different selection strategies [2,3,4]. The new 
rule for refinement test-cases can be easily combined with these rules such that 
the new test-cases follow a certain test-strategy. One has just to assure that the 
new test-cases T' new in Theorem 4 are calculated according to a strategy rule 
and that T^ ew is not an abstraction of C. 

Future Work. We hope that our newly gained insight that testing refinements 
can be mapped to mutation testing will stimulate further research. Our approach 
can be easily applied to other frameworks that form a similar category. In cate- 
gory theory we would say that a functor must exists that maps our category of 
contracts into other frameworks. 

Finally, automation is of major concern. Future work must involve the re- 
search that analyzes to which extent our approach can be automated and which 
mathematical framework is best suited to support this automation. 
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Abstract. The functional paradigm of computation has been widely investigated 
and given a solid mathematical foundation, initiated with the Curry-Howard iso- 
morphism, then elaborated and extended in multiple ways. However, this paradigm 
is inadequate to capture many useful programming intuitions, arising in particular 
in the development of applications integrating distributed, autonomous compo- 
nents. Indeed, in this context, non-determinism and true concurrency are the rule, 
whereas functional programming stresses determinism, and, although it allows 
some degree of concurrency, it is more as a “nice feature to have” rather than a 
primary assumption. 

This paper is part of a program the ambition of which is to provide a logical 
foundation to a set of programming intuitions which, until now, have not been 
adequately accounted for. In particular, we are interested in the intuitions which 
lie behind the concept of transaction, a powerful and essential concept in dis- 
tributed component-based application development. This concept is independent 
of the application domain and usually captured in an abstract form in middleware 
architectural layers. 

We claim here that proof-construction, and more precisely proof-net construction 
in Linear Logic, offers the adequate basis for our purpose. We outline the rela- 
tion, which is of the same nature as the Curry-Howard isomorphism, between 
transactional concepts and mechanisms on one hand, and proof-net construction 
on the other. Finally, we describe an algorithm which performs concurrent proof- 
net construction, where each expansion step is viewed as a transaction. Conflicts 
between such transactions are minimised using general topological properties of 
proof-nets, based on a variant of the notion of “domination tree”, introduced and 
proved here. 

Keywords: Logical foundations of programming paradigms. Linear Logic, Proof- 
nets, Concurrency, Transactions. 



1 Introduction 

It has been recognised early on in the development of computer science that proof 
theory offers adequate concepts and tools to capture abstract computational mechanisms. 
Thus, the so-called Curry-Howard isomorphism establishes a direct correspondence 
between proof-theoretic notions such as Cut elimination and fundamental mechanisms 
of the functional programming paradigm, such as parameter passing and type-preserving 
evaluation. However, this paradigm is essentially characterised by its determinism: a 
well-typed computation may evolve in multiple ways, but always terminates and there 
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is a notion of “result” of the computation which is independent of the specific strategy 
chosen in the reductions (this is essentially the convergence property of typed lambda- 
calculus). This form of determinism, which is extremely intuitive when computation is 
viewed as pure (eg. arithmetic) calculation, becomes a hindrance when computation is 
viewed as coordinated interactions between a set of autonomous components through 
their environment. And many computer programs are more naturally understood in this 
way rather than as pure calculation: operating systems, electronic brokers, workflow 
engines, monitoring tools, etc. These programs may involve deterministic calculations 
at some points in their execution, but, overall, they do not produce any final “result”, 
and constantly interact instead with their environment in a non fully deterministic way. 

There is another computation paradigm, improperly called logic programming, which, 
especially in its concurrent flavour, stresses non-determinism and interaction rather than 
calculation. In proof-theoretic terms, it corresponds to a different intuition, namely 
proof-construction rather than proof-reduction. The mapping between computational 
and proof-theoretic concepts in the two paradigms can thus be summarised as follows: 



Computation 


Proof theory 


Paradigm 


“functional” 


“logic” 


State 


Proof 

- possibly with Cuts 

- without Proper axioms 


Proof 

- without Cuts 

- possibly with Proper axioms 


Transformation 


Proof reduction 
ie. Cut elimination 


Proof construction 

ie. Proper axiom elimination 


Final state 


Proof without Cut 


Proof without Proper axiom 


Type 


Formula 


Formula / Sequent 



In this paper, we study the problem of the construction of a proof by a set of concurrent 
agents. The inference system considered here is the focussing bipolar sequent calculus 
of Linear Logic [1], which has been shown to be equivalent to that of full Linear Logic. 
However, to express concurrency in proof construction, a sequent system is not the 
adequate representation tool. Proof-nets, which offer a desequentialised representation 
of proofs, are more appropriate. The paradigm of proof-net construction by concurrent 
agents in the multiplicative, transitory fragment of bipolar Linear Logic has been pre- 
sented in [2], It is recalled in Section 2. The agents participating in the construction are 
bipoles from the “Universal program”, labelling the inferences of the sequent system. 

Whereas it is quite easy to ensure that the structure collaboratively built by the bipole 
agents remains a proof-structure, it is not so easy to guarantee that it remains a proof- 
net. This requires checking a correctness criterion, which is a topological property of 
the structure that ensures that it can be sequentialised, and hence is a proof-net. A priori, 
checking the correctness criterion may lead each bipole agent to freeze an arbitrary large 
portion of the topology, resulting in conflicts between the agents, forcing them to take turn 
and, in the end, restoring the artificial sequentialisations of the sequent system that we 
had precisely tried to get rid of by turning to proof-nets. The challenge, addressed here, 
is therefore to identify precisely the portion of the topology that needs to be frozen by a 
candidate inference to ensure that it does not violate the correctness criterion, whatever 
the structure outside this portion. Only those inferences for which these portions overlap 
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(conflict) need to be sequentialised. In [2], a simplification procedure was presented, 
which, when applied to a restricted fragment of transitory multiplicative Linear Logic 
(basically modelling multiset rewriting), completely solves the concurrency problem: in 
fact, in this fragment, no correctness conflict ever occurs. Here, we address the problem 
in the whole fragment of transitory multiplicative Linear Logic, where conflicts may 
occur, but we show that they can be minimised, based on topological properties of 
proof-nets which are introduced and proved in Section 3. Note that we still restrict to 
transitory inferences (with at least one premiss), meaning that we ignore the problem 
of terminating agents (which, in fact, poses the same problem as the multiplicative unit 
in correctness checking). Section 4 defines an abstract implementation of a concurrent, 
collaborative proof-net construction mechanism using these properties. 

The bipole agents act as typical infrastructure software (a.k.a. middleware). Indeed, 
they do not capture any application-specific behaviour (justifying their name of “Univer- 
sal program”), but their role is to guarantee that some invariant is preserved, namely that 
the overall structure they build is a proof-net, ie. could be sequentialised into a sequent 
proof. In that sense, they are closely analogous to transaction schedulers in distributed 
applications. Indeed, like bipole agents, transaction schedulers are not concerned with 
the application-level semantics of the actions they involve but only with their interde- 
pendences, and, while bipole agents ensure that the inferences they perform could be 
sequentialised, transaction schedulers ensure that the transactions they enact could be 
serialised. Thus, proof-net construction by concurrent bipole agents provides a generic 
logical model of the behaviour of transaction schedulers, which are essential compo- 
nents of middleware infrastructures. The correspondence between transaction concepts, 
in particular the Atomicity and Isolation properties of “ACID” transactions, and proof- 
theoretic concepts is at the core of the present paper. It is claimed here that this corre- 
spondence is not just a coincidence, or a by-product of logic’s powerful expressivity, but 
reveals the deep computational nature of proof-construction just as the Curry-Howard 
correspondence does to proof-reduction. In particular, the ability to sequentialise, which 
characterises proof-nets, has an operational meaning in the paradigm of proof-net con- 
struction as a set of isolation constraints (the “I” of ACID transactions) among the agents 
that perform the construction. Not surprisingly, the correctness criterion for proof-nets 
is remarkably close to the traditional serialisability criterion of transaction schedulers 
(absence of cycle in the dependency graph of transactions). Hence, we have the following 
correspondence 



Transactions 


Proof-Net construction 


Serialisability 

Isolation 


Sequentialisability 

Correctness 



2 Focussing Proof-Net Construction 

We assume given an infinite set V of places , and we define a link by a set of top places 
and a set of bottom places, together with a polarity (positive or negative). The sets of 
top and bottom places of a link must be disjoint; furthermore, a negative link must have 
exactly one bottom place, while a positive link must have at least one bottom place. A 
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link L\ is said to b e just-below a link notation L\fLi , if there exists a place which 
is both at the top of L\ and at the bottom of L^. The relation just-above, notation \ is the 
converse of /, and can be defined in the same way inverting top and bottom. Two links 
are said to be adjacent if one is just-below (or just-above) the other. 

Negative links represent connex combinations of the traditional “par” links of Lin- 
ear Logic (modulo associativity-commutativity). Positive links represent associative- 
commutative connex combinations of the traditional “tensor” links, together with iden- 
tity axioms connected on one side to the input of a tensor link and pending on the other 
side (hence the possibly multiple bottom places). Note that a positive link does not dis- 
tinguish between the main output of the tensor combination and the pending places of 
the identity links. Graphically, the polarities of links are distinguished by their shape: 
triangular for the negative links and round for the positive links, as follows. 

top 



J_l LI 




Definition 1. A (multiplicative) focussing proof- structure is a set 7r of links satisfying 
the following conditions: 

1. The sets of top (resp. bottom ) places of any two links in 7 r are disjoint. 

2. If two links in n are adjacent, their polarities are opposite. 

A place which is at the top of a link but not at the bottom of any link in a focussing proof- 
structure is called a top place of the structure. The bottom places of a structure are defined 
similarly, by permuting top/bottom. An example of focussing proof- structure is given 
in Figure 1 . In the sequel, except when mentioned otherwise, we take proof-structure to 
mean focussing proof-structure. 

Definition 2. A proof-structure i r is said to be bipolar if any place occurring at the top 
of some positive link in n also occurs at the bottom of some negative link in 7 r and 
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vice-versa. Furthermore , it is said to be elementary if it is bipolar and contains exactly 
one positive link. 

The example of Figure 1 is bipolar. Note that any bipolar proof-structure is the union 
of disjoint elementary proof-structures, and this decomposition is unique. Furthermore, 
each elementary proof-structure corresponds to a bipole. 

It has been shown in [2] how each (possibly open) proof in the focussing bipolar 
sequent calculus can be mapped into a (focussing) proof-structure. This process is called 
desequentialisation, and is strictly analogous to the desequentialisation of sequent proofs 
in Linear Logic [3]. 

Definition 3. A proof-net is a proof-structure obtained by desequentialisation of a ( pos- 
sibly open ) proof in the focussing bipolar sequent calculus. 

A correctness criterion, characterising proof-nets among arbitrary proof-structures, is 
provided in [2] for transitory focussing proof-structures. It is an adaptation of the Danos- 
Regnier criterion for proof-modules [4], the focussing proof-structures manipulated here 
being, properly speaking, proof-modules. 

Definition 4. A proof-structure is said to be transitory if all its positive links have at 
least one top place. 

The criterion for a (transitory) proof-structure 7 r is expressed as a property of the graph 
]\ (ie. the restriction to tt of the relation “just-below” on links). We use the following 
notations. Let £ be the set of all links. For any x € C, the expression x + (resp. x ~ ) 
means that x has a positive (resp. negative) polarity. For any binary graph TZ over £, \R\ 
denotes the support set of TZ , ie. the set l J x -jzy { x > v}'* a l so > ^ ° p denotes the reverse of 
TZ and 7 Z* its transitive closure. 

Definition 5. A trip a is a non-empty binary relation on C which is finite, connex and 
such that any element x in £ has at most one successor (written a (x) when it exists) 
and at most one predecessor ( written a (x) when it exists) by a. An element of £ is 
called a start-point, stop-point, middle-point of a if it has, respectively, a successor but 
no predecessor, a predecessor but no successor, both a predecessor and a successor. 

It is easy to show that for a given trip a, one and only one of the following conditions is 
true: (i) either a has no start-point nor stop-point, in which case, a is called a loop ; ( ii ) 
or a has a unique start-point and a unique stop-point, and they are distinct. Note that a 
loop can never be strictly contained in another loop. 

Definition 6. Let 7 Z be a binary graph over £. 

- 1Z is said to be polarised if adjacent elements in 1Z are of opposite polarity: 

\/x,y € £ xTZy => (x _ A y + ) V (x + A y~) 

- 7 Z is said to be bipolarised if it is finite, polarised, and negative elements have a 
unique predecessor: 

fix e \TZ\ (x~ =>- Bly e £ ylZx) 

- A trip a is said to be over 7 Z if a C TZ U 7 Z op . A singularity for TZ of a trip a is a 
negative middle-point x of a such that: 

-■(a (x)7Zx7Z a (x) V a (x)lZxTZ a (x)) 
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- 1Z is said to be correct if any loop over 7Z has at least one singularity for 7Z. 

The correctness criterion is defined for proof-structures as follows, and leads to the 
following result shown in [2] . 

Definition 7. A proof-structure 7 r is said to be correct if the relation J ~ (the restriction 
to 7 r of the “just-below” relation on links) is correct. 

Theorem 1. Any proof-net is a correct, bipolar proof-structure. Any correct transitory 
bipolar proof-structure is a proof-net. 

3 Properties of the Focussing Proof-Nets 

In this section, we analyse some properties of transitory focussing proof-nets which 
are used, in the next section, to ensure correctness preservation during the bottom-up 
construction of a shared proof-structure by multiple, concurrent agents performing only 
(transitory) bipole expansions. The demonstration of the main results (provided in the 
submitted version) are available from the authors. 

3.1 Notations and Conventions 

1Z denotes a bipolarised, correct, binary relation over C. Being correct, 1Z is obviously 
acyclic, and it is useful to visualise 1Z as being oriented bottom-up. Unless specified 
otherwise, trips and singularities are all taken to be relative to 7 Z. The elements of \1Z\ 
are called points. A trip is said to be proper if it is not reduced to a loop with two points. 
A path is a trip that always go upward (while trips in general may go any direction). A 
point x is said to be below a point y if there is a path from x to y. A point is called a root 
if there is no point below it. Note that, since 1Z is bipolarised, roots are always positive. 
Let a be a trip and x a point of |a|. 

- If rc is not a stop-point of a then a is said to exit x either upward when xTZ a (x), 
or downward when a ( x)TZx . 

- If x is not a start-point of a, then a is said to enter x either downward when 
xTZ a (x), or upward when a (x)l Zx. 

3.2 The Domination Forest 

We make use below of a notion of domination order which is different from the standard 
one [5] : whereas the standard notion is applicable to any kind of flow graph, our definition 
applies only to bipolarised and correct graphs. Our definition is formally similar to the 
standard one, but considers only singularity-free trips in the graphs, and the proofs of the 
main results are essentially different, as they exploit the specific properties of bipolarised 
correct graphs. Moreover, properly speaking, the domination order here is not a tree (as 
in the standard case) but a forest. 

Definition 8. Let x, y be negative points, x is said to dominate y (notation x < y) if 
any singularity-free trip starting at a root and stopping upward at y visits x upward. 
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Note that for any negative point x, there exists at least one singularity-free trip starting 
at a root and stopping upward at x : any path from any root below a: to a; will do (a path 
is obviously a singularity-free trip); such paths always exist, since TZ is acyclic and x 
cannot itself be a root since it is negative while the roots are positive. 

Proposition 1. The relation < on negative points is a forest order. 

We write x < y for x < y A x ^ y. Since < is a forest order, we have: 

- Any set of negative points X which has a lower bound by < has a greatest lower 
bound, written n(X) and called the joint dominator of X; as usual, n({a:,y}) is 
written x n y. 

- The set of predecessors by < of any negative point x, if not empty, has a greatest 
element by <, written S(x) and called the immediate dominator of x. 

Note that the knowledge of any one of <, <, n, 8 is sufficient to recover all the others. 

Theorem 2. Let x, y be negative points, and let a be a singularity-free trip starting 
downward at x and stopping upward at y. Then any negative point visited by a is strictly 
dominated by x\l y ( when defined), ie. 

\/z € |a| z _ => x n y < z 

3.3 Domination under Expansion 

In a bipolar expansion step of the proof-net construction process, 7 Z is turned into 7 Z' = 
7 Z U (TV x {p}) where p is the (unique) positive link introduced by the bipole and TV the 
set of already present negative links at the top places of which p is connected. In fact, 
7 Z' also contains the set of pairs (p, n) where n ranges over the negative links introduced 
by the bipole, but we will not consider them here as they do not affect the correctness 
of 7 Z'. 

Proposition 2. Let TV C \1Z\ be a set of negative elements, and p € C\\TZ\ be a positive 
element. The graph TZ' = TZ U (TV x {p}) is bi-polarised. Furthermore, it is correct if 
and only if there is no singularity-free trip in TZ starting downward at some x £ TV and 
stopping upward at some y € TV. 

We now assume that the graph TZ! = TZ U (TV x {p}) is correct. The following result, 
expliciting the relation between <, 8 induced by TZ and their counterparts <' , S', induced 
by TZ', underlies our concurrent proof-net construction algorithm. 

Theorem 3. Let x be a negative point. 

Either S(x) <’ x and S'(x) = S(x), or ->< 5(x) <' x and n(TV) < 8'(x) < S(x). 



4 A Proof-Net Construction Algorithm 

4.1 Information Containers 

The proof-net construction mechanism considered here proceeds by expansion steps 
performed by concurrent agents, each applying a bipole to a set of places that match 
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its trigger. To ensure that the construction remains a proof-net, each agent must check, 
for each candidate expansion, that its application would not violate the criterion given 
by Theorem 1 (we assume here that the agents apply only transitory bipoles, so the 
condition of the Theorem is satisfied). Performing such a check amounts to some kind 
of traversal of the proof-net built so far: it is useful to visualise it in terms of a token 
moving from each link to adjacent links in the proof-net, gathering and checking in- 
formation on the way. Hence, an expansion step is itself a transaction composed of a 
set of micro-steps, including the traversal of the net and, eventually, the installation of 
the successful candidate expansion. In each micro-step, the transaction retrieves and/or 
updates information about the proof-net. For example, it may retrieve information like: 
what are the links adjacent to link x in the proof-net ? It may also update information, 
like: link x has a new adjacent link y in the proof-net (this happens when the expansion 
is actually performed, after a successful correctness check). Adjacency information is 
obviously crucial to correctness checking. We will see that other pieces of information 
are also relevant. 

To be useful, the information retrieved in each micro-step of a transaction t needs to 
be protected against updates of that same information by concurrent transactions, until 
t is completed. For this purpose, we assume that the information is encapsulated into 
containers that keep track of which transactions access them. Whenever a transaction t 
accesses a container, it locks it, thus denying access to its content to any other transac- 
tions, until t either commits or aborts. We assume here a simple locking model which 
does not distinguish between access modes (read or write) of the operations. We assume 
that ( i ) whenever a transaction commits, it releases all the locks it has acquired; (ii) 
whenever a transaction aborts, all the updates made to the containers it has locked are 
cancelled before the locks are released; (in) in order to avoid deadlocks, whenever a 
transaction is denied access to a container, the whole transaction is aborted (thus freeing 
all its locks) and retried from the start (this is a rather crude way of sequentialising 
conflicting transactions, used here for simplicity; any of the other traditional strategies, 
eg. based on arbitrary prioritisation of the transactions, is applicable here). 

There is one container for each link in the proof-net, holding the adjacency infor- 
mation, ie. pointers to the containers of the links which are just-above and just-below 
in the proof-net. Note that, due to the way the construction proceeds, the information 
concerning the links just-below is never changed after creation of a link. The informa- 
tion concerning the links just-above is also never changed in the case of a positive link, 
whereas it may be changed by some further expansion of the proof-net in the case of 
a negative link. Hence, locking is only needed for negative links, and only when the 
information concerning the links just-above is accessed. 

As an optimisation, two links need not be put in separate containers if it can be 
guaranteed that whenever a transaction locks one, it also eventually locks the other. 
Hence, containers may group more than one link. Grouping may be done by sessions as 
proposed in [2]. This optimisation could straightforwardly be incorporated in the sequel, 
but will be omitted here for simplification purpose. 

Finally, the information attached to each place is also encapsulated into containers. 
Typically, a place container holds the type attached to that place (a negative atom, never 
changed) as well as pointers to the containers of the links of the proof-net at the top or 
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Table 1. A naive implementation of expansion checking 

Procedure check(T: set of places) 

Let TV = 0 

For-each a € T Do: 

Lock a; If a is consumed Then: Abort 
Add to N the (negative) link at the top of which a appears 
For-each x £ N Do: Call check-tripE*,/V,0) 

Procedure check-tripE*: negative link, N, A: set of negative links) 

If x ^ A Then: 

Let y be the (positive) link just-below x 

For-each (negative) link x' / x just-above y Do: Call check-tripEs/, A, A) 
For-each (negative) link x' just-below y Do: Call (:iii:ck-'i rii^(.x',A’,_4) 

Procedure check-trip^ (x: negative link, A, A: set of negative links) 

If x € A Then: Abort Else: Lock x 
For-each (positive) link y just-above x Do: 

For-each (negative) link x' just-above y Do: Call check-tripEsEA.A U {as}) 
For-each (negative) link x' E x just-below y Do: Call check-tripEs/, TV, A U {as}) 



bottom of which that place appears. The link at the top of which a place appears is never 
changed after creation of that place. On the other hand, the link at the bottom of which 
a place appears may be added dynamically, by an expansion step, but once it is set, it 
is never changed (the place is then said to be consumed). Place containers are used to 
ensure that the construction remains a proof-structure (a pre-requisite to correctness), 
simply by preventing that a place be consumed by several concurrent transactions. 

To perform an expansion of the proof-net built so far from a given set of places, 
a bipole agent proceeds in two steps: (?) it first checks that the candidate expansion 
would not break the proof-structure nor violate the correctness criterion; (??) it then 
installs the candidate expansion, creating and/or updating place and link containers with 
the appropriate information. The first phase reads information from the already existing 
containers, while the second phase updates the information in these containers, and 
creates new containers. These two phases are executed in a single transaction. 



4.2 A Naive Procedure 

A naive procedure for the first phase (preservation of proof-structure and correctness) is 
given in Table 1. It is a direct application Proposition 2 reformulated here as follows: 

An expansion of a proof-net n from a set of places T (matching the trigger of a 
bipole) yields a proof-net if and only if (?) no place of T is at the bottom of a 
link of 7r and (??) there exists no singularity-free trip over/E starting downward 
at some link x and stopping upward at some link y such that both x, y have a 
top place in T. 
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Table 2. Computation of the joint dominator of a set of points 

Procedure joint-dom(./V: set of negative links) Returns negative link (or undefined) 
Sort N by decreasing height 
While N has more than 1 element: 

Remove the first point x from N 

If S(x) is undefined Then: Return undefined Else: Lock x 
If S(x) N Then: Insert 5(x) in N, so that it remains sorted 
Return the single remaining element of N 



Thus, procedure check of Table 1 first computes the set N of points having a top place 
in T, checking at the same time condition (i) above. It then follows all the possible 
singularity-free trips starting downward at a link of N. If one of them stops upward at 
another link of N, then it means that the candidate expansion induces a violation of 
the correctness criterion and the transaction should be aborted. Otherwise, correctness 
is preserved and the transaction can proceed with the second phase (installation of the 
expansion) and be committed. 

Following the singularity-free trips is achieved by the two procedures check-trip. 
Their first parameter x denotes the current negative link in the trip being built, and the 
direction of the arrow (f or !) denotes the direction of traversal of that link (upward 
or downward). The second parameter N is the set of links which must not be reached 
upward. The third parameter A denotes the set of negative links already visited upward 
by the trip, and is used to ensure that the trip does not visit them again downward (this 
is sufficient to ensure that no link is ever visited twice). Locking is only needed in the 
upward visit phases, since these are the only phases which use information which may 
be modified by concurrent transactions (namely the information concerning the links 
just-above). 

Flowever, the systematic exploration of all singularity-free trips starting at N amounts 
to locking a large portion of the proof-net, and decreases the potential concurrency of the 
transactions. We use below the results of Section 3 to reduce the amount of exploration 
required by each candidate expansion and thus improve the potential for concurrency in 
the construction. Basically, we enrich the containers with additional information about 
the proof-net (beyond bare adjacency), and use it to limit the scope of the exploration 
of singularity-free trips. The constraint here is two-fold: (i) the additional information 
should enable to compute a practical limit to the exploration (and locking); ( ii ) the 
update of the additional information in case of success should not itself require new 
explorations (and locking). 

4.3 An Improved Procedure 

Given a candidate expansion at a set T of places, the procedure of Table 1 computes all 
the singularity-free trips starting downward at a point x of N, to check that none of them 
stops upward at another point y of N (where N is the set of links of n with a top place 
in T). Now, by Theorem 2, any negative point z of such a trip satisfies x n y < z, hence 
n(AT) < Thus, in the procedure of Table 1, the exploration of the singularity-free trips 
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Table 3. An improved implementation of expansion checking 

Procedure check(T: set of places): 

Let TV = 0 

For-each a € T Do: 

Lock a; If a is consumed Then: Abort 
Add to N the (negative) link at the top of which a appears 
Let £ = joint -dom(JV) 

If £ is defined Then: Let A = {£} Else: Let A = 0 
Let (7 = 0 

For-each x £ N Do: Add check-trip^ (®, N, A) to U 
For-each x G U Do: Set 8(x) = joint-dom({5(®), £}) 

Procedure check-trip^®: negative link, N, A: set of negative links) 

Returns set of negative links 
Let (7 = 0 

If x £ A Then: 

Let y be the (positive) link just-below x 

For-each (negative) link x' ^ x just-above y Do: Add check-trip^®', N, A) to U 
For-each (negative) link x' just-below y Do: Add check-trip^®', 7V,A) to U 

Return U 

Procedure check-trip^ (®: negative link, N, A: set of negative links) 

Returns set of negative links 

If ® £ TV Then: Abort Else: Lock ® 

Let U = {®} 

For-each (positive) link y just-above x Do: 

For-each (negative) link ®' just-above y Do: Add check-trip^(®',./V,A U {®}) to U 
For-each (negative) link ®' ^ x just-below y Do: Add check-trip' 1 '(®',./V,A U {®}) to U 

Return U 



in the current proof-net can be limited by n(7V) (when it exists). The computation of 
n (N) can itself be obtained using only mapping 8 (the immediate dominator mapping). 
Thus, the additional information we propose to store in each container for a (negative) 
link x is a pointer to the container of S(x) (when it exists, otherwise, some null pointer). 

Note that each expansion step may update the immediate dominator information in 
several containers, and it needs to be locked when used in a transaction to compute 
n(AT), as shown in the procedure of Table 2. This procedure also makes use of a height 
information, included in the containers. This information is a positive integer computed 
each time a container is created (and never modified afterwards) so as to respect the 
following condition: the height of a container is strictly greater than the height of any 
of the containers which are just-below it (the set of which is known at the time of the 
creation of the container and never changes). 

Now, the joint dominator n (N) sets a good limit on the exploration of the singularity- 
free trips starting downward at N. However, there is a price to pay: the immediate dom- 
inator information from which the joint dominator is computed has to be maintained. 
In particular, when a candidate expansion is successfully installed, the immediate dom- 
inator information stored in an a priori unknown number of containers may have to be 
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updated. Fortunately, Theorem 3 shows that the area which has to be considered for the 
update is itself limited by n (N). More precisely, there is no need to consider for up- 
date the containers other than those which have been visited, and locked. The procedure 
of Table 3 modifies the naive one to compute the set of containers which need to be 
considered for update (U in procedure check). 

It is not obvious to compute exactly the updated value of 8(x) at each container x 
in U. Instead, we use Theorem 3 to assign a lower bound of this value: 6(x) n n(iV). 
This means that the actual algorithm does not maintain the exact value of the immediate 
dominator at each negative point, but a lower bound. Hence, the computation of the 
joint dominator may return a lower bound of the true value. This may result in wider 
explorations than strictly needed, but does not compromise the validity of the algorithm. 
The figure below illustrates the difference between the naive and improved procedure 
on a simple example (black/white nodes are positive/negative links): 



O locked by both procedures 
® locked by naive procedure only 
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5 Related Work 

The standard notion of domination tree has been used in the past for correctness checking 
of proof-nets [5]. It is not clear whether this work, which is not concerned with proof- 
net construction, has any relationship with the work presented here, since our notion 
of domination does not coincide with the standard one. The actual properties proved in 
each case are different and support entirely different uses of proof-nets. 

Proof-search in the sequent system of Linear Logic has been widely investigated. 
Proof-net search by a sequential process has also been studied in [6], Our approach 
addresses concurrency in proof-net construction as an essential feature. 

Petri-nets [7], introduced to study concurrency of processes competing for bounded 
resources, are the closest formal tool to our proposal. It was remarked early in the 
development of Linear Logic that proof-nets have strong connections with Petri-nets [8]. 
There are major differences though. 

- In the proof-net construction paradigm, proof-nets are used as a mean of representing 
a trace of past actions (the construction so-far) in order to constrain future actions (by 
imposing transactional isolation constraints). Petri-nets, on the other hand, are used 
as a specification tool for concurrent programs. In particular, as a trace, a proof-net 
(or even a proof-structure) never contains cycles, while, as a specification, a Petri-net 
naturally allows cycles. In a middleware paradigm, the purpose is not to model what 
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should take place in an application (specification) but rather to capture what actually 
takes place (trace). Proof-nets are therefore more appropriate for our purpose. Note 
that, of course, proof-nets as used here can naturally represent the trace of Petri-net 
executions, with a straightforward mapping between the bipoles used in the proof- 
nets and the actual execution of transitions in the Petri-net. However, usual Petri-net 
transitions (multiset rewriting) lead to simple proof-nets which do not need the kind 
of correctness checking procedure presented here: in fact they fall in the fragment 
considered in [2] for which no correctness problem can occur. 

- The difference in purpose between specification and trace, which, by the way, cor- 
responds to a deep cultural gap in the computing community between application 
programmers looking at how to implement things and system managers trying rather 
to understand what is going on in a system, has important consequences on the sub- 
sequent use of the tools. Petri-nets have been extended in many ways, in order to 
enhance their expressivity, according to needs arising from applications or intuition. 
And indeed, extensions of Petri-nets have been proposed to capture various form of 
transactional and contextual features [9,10,1 1] at the specification level. On the other 
hand, proof-nets need to be kept as bare as possible and avoid ad-hoc extensions 
which would not fit in the abstract proof machinery (the multiplication of concepts 
would make them useless as a tool to understand what is going on). The present 
paper tries to provide an understanding of concurrency and transaction concepts 
only in terms of the basic operations provided by Linear Logic. 

The same discussion applies to other tools used to specify concurrent systems (or analyse 
them based on such specifications), such as the many process calculi [12,13,14] (the join 
calculus, in particular, is directly related to the work presented here), or the various 
coordination models based on shared tuple spaces (which also have many relations, 
including historical ones, with the work presented here). 

6 Conclusion 

Proof-nets are a powerful tool to represent and understand concurrency in computations. 
In particular, proof-net construction by a set of concurrent, decentralised agents provides 
an abstract model of infrastructure software in distributed applications (a.k.a. middle- 
ware). More precisely, proof-net construction captures in a natural way the behaviour of 
an essential component of middleware infrastructures, namely transaction schedulers. 
The concept of transaction has been widely investigated in the literature, and addresses 
basic intuitions such as atomicity and isolation in concurrent actions. 

In this paper, we claim that the true computational content of proof-construction is 
given in terms of atomicity and isolation constraints between a set of agents performing 
expansion steps in a proof-net. We give a naive algorithm ensuring that the shared 
structure being built remains a proof-net. The proposed algorithm is at the same time 
incremental and truly concurrent. It does not rely on any kind of “behind the scene” 
interaction between the agents in order to synchronise: the proof-net being built is the 
only piece of data shared between the agents. 

However, the naive algorithm may result in unbounded explorations of the net at 
each expansion step. A fine-grain analysis of proof-net properties allows us to improve 
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the algorithm, by setting a computationally tractable bound to the required exploration. 
One of the main tool used in this analysis is the concept of “domination” order attached 
to a graph. This concept is not new, and has been used in various contexts involving the 
study of flow-graphs in general. We use a different version of this concept here, to de- 
rive important properties of proof-nets used in the concurrent, incremental construction 
algorithm. 
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We will speak about three traditions in Logic: 

• Classical , usually associated with Frege, Hilbert, Godel, Tarski, and others; 

• Intuitionistic, founded by Brouwer, Heyting, Kolmogorov, Godel, Kleene, and 
others; 

• Explicit, which we trace back to Skolem, Curry, Godel, Church, and others. 

The classical tradition in logic based on quantifiers V and 3 essentially re- 
flected the 19th century mathematician’s way of representing dependencies be- 
tween entities. A sentence Vx3yA(x, y), though specifying a certain relation be- 
tween x and y, did not mean that the latter is a function of the former, let alone 
a computable one. The Intuitionistic approach provided a principal shift toward 
the effective functional reading of the mathematician’s quantifiers. A new, non- 
Tarskian semantics had been suggested by Kleene: realizability that revealed a 
computational content of logical derivations. In a decent intuitionstic system, a 
proof of \/x3yA(x, y) yields a program / that computes y = f(x). 

Explicit tradition makes the ultimate step by using representative systems 
of functions instead of quantifiers from the very beginning. Since the work of 
Skolem, 1920, it has been known that the classical logic can be adequately re- 
cast in this way. Church in 1936 showed that even the very basic system of 
function definition and function application is capable of emulating any com- 
putable procedure. However, despite this impressive start, the explicit tradition 
remained a Cinderella of the mathematical logic for decades. Now things have 
changed: due to its very explicitness, this third tradition became the one most 
closely connected with Computer Science. 

In this talk we will show how switching from quantifiers to explicit functional 
language helps problem solving in both theoretical logic and its applications. A 
discovery of a natural system of self-referential proof terms, proof polynomials, 
was essential in the solution to an open problem of Godel concerning formal- 
ization of provability. Proof polynomials considerably extend the Curry-Howard 
isomorphism and lead to a joint calculus of propositions and proofs which unifies 
several previously unrelated areas. It changes our conception of the appropriate 
syntax and semantics for reasoning about knowledge, functional programming 
languages, formalized deduction and verification. 
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Abstract. For a fixed countable homogeneous relational structure F we 
study the computational problem whether a given finite structure of the 
same signature homomorphically maps to F. This problem is known as 
the constraint satisfaction problem CSP(F) for F and was intensively 
studied for finite F. We show that - as in the case of finite F - the 
computational complexity of CSP(F) for countable homogeneous F is 
determinded by the clone of polymorphisms of F. To this end we prove 
the following theorem which is of independent interest: The primitive 
positive definable relations over an w-categorical structure F are precisely 
the relations that are invariant under the polymorphisms of F. 

Constraint satisfaction with countable homogeneous templates is a proper 
generalization of constraint satisfaction with finite templates. If the age 
of r is finitely axiomatizable, then CSP(F) is in NP. If F is a digraph 
we can use the classification of homogeneous digraphs by Cherlin to de- 
termine the complexity of CSP(F). 

1 Introduction 

For a fixed relational structure r (called the template ), the constraint satisfaction 
problem CSP(F) is the following computational problem: Given a finite structure 
S of the same signature as r, is there a homomorphism from S to F? 

Constraint satisfaction problems frequently occur in theoretical computer 
science, and have attracted much attention for finite templates F. It is conjec- 
tured that CSP(F) has a dichotomy in the sense that every constraint satisfac- 
tion problem CSP(F) for finite structure F is either tractable or NP-complete. 
This is true for templates that are undirected graphs [20], for two element tem- 
plates [35] or three element templates [6]. It is known that every constraint satis- 
faction problem is polynomial time equivalent to a digraph-homomorphism prob- 
lem [17]. There are powerful classes of algorithms solving the known tractable 
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constraint satisfaction problems [17], namely group theoretic algorithms and 
local-consistency based algorithms [14,21]. 

But many constraint satisfaction problems in the literature can not be formu- 
lated as a constraint satisfaction problem with a finite template. One example 
is Allen’s interval algebra [1] that has applications in temporal reasoning in 
artificial intelligence. The classification of the tractable and hard subalgebras 
of Allen’s algebra was completed only recently [30,24], and they also exhibit 
a complexity dichotomy. Other examples are tree description languages that 
were introduced in computational linguistics [11,4,3]. Even digraph-acyclicity 
can not be formulated as a constraint satisfaction problem with finite template 
r . However, arbitrary infinite templates T might have undecidable constraint 
satisfaction problems. 

We propose to study constraint satisfaction with countable homogeneous tem- 
plates. This can be seen as a strict generalization of constraint satisfaction with 
finite templates, since every constraint satisfaction problem with a finite tem- 
plate is polynomial-time equivalent to a constraint satisfaction problem with 
a homogeneous template (see Section 3). Moreover, the constraint satisfaction 
problems mentioned above can be formulated naturally in this new framework. 
To prove tractability or hardness of constraint satisfaction problems with ho- 
mogeneous templates reductions to different hard problems and new algorithms 
are used, which have not yet been considered for CSP(T') with finite r. Count- 
able homogeneous structures are intensively studied by model theorists, and 
they have many remarkable properties. For finite signatures they allow quanti- 
fier elimination and are w-categorical, i.e. their first-order theories have only one 
countable model up to isomorphism. Countable homogeneous structures have 
been classified for all digraphs [10]. 

Adding relations to a template T that are primitive positive definable over T 
does not change the computational complexity of CSP(T). The central theorem 
here [5] is that a relation is primitive positive definable over a finite relational 
structure r if and only if it is left invariant under the polymorphisms of T. This 
was first used in the context of constraint satisfaction by Jeavons et al. [23], and 
initiated the algebraic approach to constraint satisfaction, which has success- 
fully been carried further e.g. in [13]. We generalize this result to w-categorical 
structures T : A relation is p.p. -definable in r if and only if it is invariant under 
the polymorphisms of T. 

We can determine the complexity of CSP(T) and prove a dichotomy if r is a 
homogeneous graph or a tournament. Since there are uncountably many count- 
able homogeneous digraphs r and uncountably many corresponding constraint 
satisfaction problems, the class of problems CSP(T') contains undecidable prob- 
lems. However, if we assume that the class of finite induced substructures of a 
countable homogeneous digraph r is finitely axiomatized, one can determine the 
complexity of CSP(T) with a classification result of Cherlin [10]. 

The paper is organized as follows. We first give some background on rela- 
tional homogeneous structures. In the next section on combinatorial constraint 
satisfaction problems we explain the role of primitive positive definability in con- 
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straint satisfaction. We give a characterization of primitive positive definability 
on homogeneous structures in Section 5 after introducing the necessary tools 
from universal algebra in Section 4. We end with a catalog of homogeneous 
relational structures and a discussion of their constraint satisfaction problems. 

2 Background 

A relational signature r is a (in this paper always at most countable) set of 
relation symbols Ri , each associated with an arity ki. A (relational) structure 
r over relational signature r (also called r-structure) is a set Dp (the domain ) 
together with a relation Ri C D’p for each relation symbol of arity ki. For 
simplicity we denote both a relation symbol and its corresponding relation with 
the same symbol. For a r-structure r and R £ r it will also be convenient to 
say that R(u\, . . . ,Uk) holds in r if (ui, . . . ,Uk) € R ■ We sometimes use the 
shortened notation x for a vector x ±, . . . , x n of any length. 

A first-order formula ip over the signature r is said to be primitive positive 
(we say <p is a p.p. -formula, for short) if it is of the form 

3x(ipi(x) A • • • A (fikix)) . 

where <p\, . . . ,ipk are atomic formulas. (For an introduction to first order logic 
and model theory see [22].) Let f be a relational structure of signature r. Then 
a p.p. -formula <p over r with k free variables defines a k - ary relation R C Dp : 
the relation R is the set of all tuples satisfying the formula p> in r. Equivalently, 
R is contained in (J 1 ) if and only if there exists a finite relational r-structure 
S containing k designated vertices x\ ,Xk such that 

R = { (f(x i), . . . , f(xk)) | /: S — y r homomorphism} . 

We call these relations p.p. -definable, and denote the relational structure that 
contains all such relations for a given r by ( .T) . Likewise, the larger set of all 
first order definable relations is denoted by {r) f a - 

A relational structure r is called homogeneous (in the literature also ultra- 
homogeneous ) if every partial isomorphism between two finite substructures can 
be extended to an automorphism of r. Prominent examples of countable ho- 
mogeneous structures are the Rado graph R and the dense linear order (Q, <). 
The Rado graph can be defined as the unique (up to isomorphism) model of 
the almost-sure theory of finite random graphs. Homogeneous structures have 
been classified for graphs [27], for tournaments, for posets [36], and finally di- 
graphs [10] (there are continuum many homogeneous digraphs). For homoge- 
neous structures with arbitrary relational signatures a classification is not yet 
known. 

The age Sub(T') of a relational structure T over r is the set of all finite 
structures over r that (isomorplrically) embed in T. An important property 
of countable homogeneous structures is their characterization by amalgamation 
classes. A class of finite structures C is an amalgamation class if C is nonempty, 




Constraint Satisfaction with Countable Homogeneous Templates 



47 



closed under isomorphism and taking induced substructures, and has the amal- 
gamation property. The amalgamation property says that for all A,Bi,B 2 £ C 
and embeddings e : A — > B\ and / : A — > B 2 there exists C € C and embeddings 
g : Bi — > C and h : B 2 —> C such that ge = hf. 

Theorem 1 (Fraisse [18]). A countable class 6 of finite relational structures 
with countable signature is the age of a unique (up to isomorphism) countable 
homogeneous structure if and only if C is an amalgamation class. 

If C is an amalgamation class, we call the corresponding countable homoge- 
neous structure the Fraisse-limit of C. By definition amalgamation classes can 
be defined by a set of forbidden induced finite substructures. For a set of finite 
structures N over r we denote by ForbfN) the set of finite structures S over r 
such that no structure in N is embeddable in S. We say that a class of finite 
structures C over r is finitely axiomatizable if there exists a first order formula 
ip over r such that for all r-structures A we have A £ C if and only if A is a 
model of <p. By compactness it follows that an amalgamation class C is finitely 
axiomatizable if and only if C = Foi'bfN) for some finite set of forbidden induced 
substructures N. 

A homogeneous structure T over a finite signature is w-categorical, i.e. every 
countable structure satisfying the same first order formulas as r is isomorphic 
to r. A relational structure is called oligomorphic iff the automorphism group 
Aut(G) of the structure r has only a finite number of orbits on the set of n-tuples 
of elements of r. The following theorem is essential (see [22]): 

Theorem 2 (Engeler, Ryll-Nardzewski, Svenonius). A countable struc- 
ture r is u-categorical if and only if Aut(r) is oligomorphic. 

3 Combinatorial Constraint Satisfaction 

Let r be an arbitrary structure with relational signature r - also called the tem- 
plate. Then the constraint satisfaction problem CSP(T') is the following compu- 
tational problem: 

Given: A finite r-structure S. 

Question: Is there some homomorphism from S to T? 

Formally, we denote by CSP(T) the set of all finite r-structures that lromo- 
morplrically map to r. For finite T we can assume without loss of generality 
that r is a core, i.e. all endomorphisms of T are automorphisms. If r is a core, 
adding all the singleton relations to T does not change the complexity of CSP(T) 
(as stated in [7]). In this case r becomes a homogeneous relational structure. 
Therefore constraint satisfaction with homogeneous templates can be seen as a 
generalization of constraint satisfaction with finite templates. 

All constraint satisfaction problems with finite T are clearly contained in NP. 
If the age of a relational homogeneous structure T of finite signature is finitely 
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axiomatizable then CSP(A) is also contained in NP. To see this, suppose we are 
given an instance S of CSP(A). An algorithm can then guess the image of S 
under a homomorphism, and verify that the image belongs to the age of T in 
polynomial time using the finite axiomatization. Thus we have 

Proposition 1. Let r be a countable homogeneous relational structure of finite 
signature r with a finitely axiomatizable age. Then CSP(T) is in NP. 

Note that we need the axiomatizability assumption in Proposition 1 as there exist 
homogeneous r such that CSP(A) is undecidable, see Section 6. In analogy with 
the dichotomy conjecture of Feder and Vardi [17], we can make the following 
conjecture. 

Conjecture 1 (Dichotomy). Let r be a countable homogeneous relational struc- 
tures with a finitely axiomatizable age. Then the class of constraint satisfaction 
problems CSP(A) has a dichotomy. 

For both finite and infinite A the following simple lemma explains the rel- 
evance of p.p. -definable relations in constraint satisfaction. Suppose we extend 
a relational structure f by a p.p. -definable relation R. This does not change 
the computational complexity of the corresponding constraint satisfaction prob- 
lem, since we can replace every occurence of R in an instance of CSP(A) by the 
r-structure that defines R. 

Lemma 1. Let r be a r-structure and let A be the extension of this structure 
by a relation R that is p.p. -definable over r. Then CSP(-T) is polynomial-time 
equivalent to CSP(A). 

In the next section we introduce the algebraic notions that will be needed to 
characterize p.p. -definability. 



4 The Clone of Polymorphisms 

In this section, D will stand for a countable set and O for the set of finitary 
operations on A, i.e., functions from D k to D for finite k. We say that / £ O 
preserves a fc-ary relation R C D k if R is a subalgebra of (A, f) k . An operation 
that preserves all relations of a relational structure r is called a polymorphism 
of T. The set of all k- ary polymorphisms of r is denoted by Pol( k \r), and we 
write Pol(r) for the set of all finitary polymorphisms Pol(T) = U,=i Pol^ l \r). 

The notion of a product of relational structures allows an equivalent definition 
of polymorphisms, relating polymorphisms to homomorphisms. The (categorical- 
or cross-) product A x A of two relational r-structures A and A is a r-structure 
on the domain Dp t x Dp 2 . For all relations R £ r the relation R((xi, 2 / 2 ), • • •> 
(xk, Vk)) holds in A x A iff R(xi, • ■ • , Xk) holds in A and R(yi , . . . , yk) holds in 
A- Comparing the corresponding definitions we see that a fc-ary polymorphism 
/ of a relational structure is a homomorphism from r k = fx . . . x T to A he., for 
an m-ary relation R in r, if R(x \, . . . , x m ) holds in T k then R(f(x 1 ), . . . , f(x m )) 
holds in A 
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An operation tt is a projection (or a trivial polymorphism) if for all n-tuples, 
7r(xi, . . . , x n ) = Xi for some fixed i £ The composition of a fc-ary 

operation / and k operations g \ , . . . , gu of arity n is an n-ary operation defined 

by 



f(9i,---,9k)(xi,...,x n ) = f ■ ■ ■ , x n ), . . . ,gk(xi, . . . , x n )) . 

A clone F is a set of operations from O that is closed under composition and 
that contains all projections. We write Dp for the domain D of the clone F. For 
a set of operations F from O we write ( F ) for the smallest clone containing all 
operations in F (the clone generated by F). Observe that Pol(r) is a clone with 
the domain Dp- 

Moreover, Pol(r) is also closed under interpolation: We say that an operation 
/ £ O is an interpolation of a subset F of O if for every finite subset B of D 
there is some operation g € (F) such that / \b = (/ restricted to B equals g 

restricted to B , i.e., /(a) = g(a) for every a £ B k ). The set of interpolations of 
F is called the local closure of F. If the maximal arity of r is bounded, Pol{T ) 
is also locally closed. 

The converse was proved by Rosenberg and Schweigert [34] . Together with a 
theorem of Larose and Tardif [28] on infinite graphs this is one of the few known 
results on infinite structures and their polymorphisms. Many results on clones 
in general can be found in [38]. 

Proposition 2 (Rosenberg and Schweigert [34]). A set F C O of opera- 
tions is locally closed if and only if X = Pol(r) for some relational structure r 
of bounded maximal arity. 

Important properties of operations in a clone: a fc-ary operation / is idem- 
potent iff f{x , . . . , x) = x for all x £ D. An operation / is called essentially 
unary iff there is a unary operation /o such that f(x\, . . . , Xk) = fo{%i) for some 
i £ {1, . . . , fc}. A relational structure r is called projective, iff all idempotent 
polymorphisms of r are projections, and strongly projective, iff all polymor- 
phisms of r are projections [33]. 

Let A be a (local) clone with domain D. Then R C D m is invariant under 
F, if every f £ F preserves R. We denote by Inv(F) the relational structure 
containing the set of all relations left invariant under F. A fundamental result 
of Bodnarcuk et al. [5] (other presentations can be found in [32, 12]) says that 
for arbitrary finite relational structures r the p.p.-definable relations can be 
characterized as the invariants of the polymorphisms of T. 

Theorem 3 (Bodnarcuk et al. [5]). Let r be a finite relational structure. 
Then 



(F) pp = Inv(Pol(r )) . 

The proof of Theorem 3 also shows that it is decidable whether for a given finite 
relational structure r a given relation R is p.p.-definable or not. Generaliza- 
tions of Theorem 3 and the related Galois correspondences were also studied 
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for infinite domains. For arbitrary relational structures T the set of relations 
Inv(Pol(r )) was characterized with local closure operators on relational alge- 
bras in [37] (see also [31], page 32). 

In the next section we will show that for countable homogeneous structures 
r any first-order definable relation is in ( r) pp if and only if it is left invariant 
under all polymorphisms of finite arity. But first we note that the following is 
well-known for arbitrary cardinalities of the domain. 

Proposition 3 (see e.g. [32]). Let r be a relational structure. Then 

(r) pp c inv(Poi(r )) . 

Proof. Let R be a relation in (. r) pp ■ We prove that R € Inv(Pol(r)) by in- 
duction on the length of a defining p.p. -formula <p. The claim is true for <p = 
R{x i, . . . , x n ). For ip = Bx.ip' we observe that every polymorphism that is left 
invariant by <p' also leaves tp invariant. The same holds for <p = <p\ A <p 2 - □ 

For a structure with a countable domain the inclusion of Proposition 3 
might be strict. Consider for instance the following relational structure r = 
(N; i?i, i? 2 , Rs) on the natural numbers communicated to the authors by Ferdi- 
nand Borner. We show that Inv(Pol(r)) contains relations that are not p.p.- 
definable. 



i?i = {(a, b,c,d) | a = b or c = d, a,b, c, d £ N} 
i?2 = {(0)} 

i ?3 = {(a, a + 1) | a £ N} 

Every function preserving R\ is essentially unary. If / is unary and preserves i ?2 
then /( 0) = 0. Furthermore, if / preserves i ?3 we have /(a + 1) = /(a) + 1 for all 
a, and inductively follows /(a) = a. Therefore Pol{T ) is the set of all projections. 
Every projection preserves all relations, but even the unary first-order definable 
relation {a; | x = 1 V x = 3} is not p.p. -definable. 

For cu-categorical structures r the situation looks better: It is known that 
the first-order definable relations are precisely the relations that are invariant 
under the automorphisms of T, i.e. (r) f a = Inv(Aut(r)) (see e.g. [22,8]). The 
structure Inv(Aut(r) is homogeneous and called the canonical structure of the 
permutation group Aut(r). We prove a corresponding theorem for primitive 
positive definability in the next section. 

5 A Characterization of Primitive Positive Definability 

We characterize the primitive positive first-order definable relations over an u>- 
categorical structure r by the polymorphisms of T of finite arity. 

Theorem 4. Let T be an u>- categorical structure with relational signature r. 
Then a relation R on T is invariant under the polymophisms of T if and only if 
R is p.p. -definable, i.e., 



(P) pp = Inv(Pol(r)). 
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Proof. We already stated in Proposition 3 that the p.p. -definable relations over 
r are invariant under the polymophisms of r. 

For the converse, let R be a k - ary relation from Inv(Pol(r)). Note that R is 
first-order definable in r : By w-categoricity and Ryll-Nardzewski , and since r 
and Inv(Pol(r)) have the same automorphism group, the relation R is a union 
of finitely many orbits of the automorphism group of r, and it can be defined 
by a disjunction ip of r- formulas that define these orbits. Let M \, ... , M w be the 
satisfiable monomials in this disjunction, and let x\ .,Xk be the variables of 
the monomials. 

We have to construct a finite r-structure Q with designated vertices v\ ,Vk 
such that 



R = { (f(v i), . . . , f(v k )) | / : Q r homomorphism}. 

The idea is to first consider an infinite r-structure, namely the categorical prod- 
uct r w , and then to apply Konig’s Lemma to prove the existence of a suitable 
finite substructure. 

For each monomial Mj £ Mi , . . . , M w of p we find a substructure a\, ... . af 
of r, such that a{, ... ,a J k satisfies Mj in r. Let b\, 62 , . . . be an enumeration of 
the w;-tuples in Df,, starting with b, = (a \, . . . , a l w ) for 1 < i < k. Let us call a 
partial mapping from r w to T a bad mapping if it maps bi, . . . ,bk to a tuple not 
satisfying <p. Since R is invariant under all polymorphisms, no homomorphism 
from r w to r is bad. 

We now claim that there is a finite substructure Q of r w such that no homo- 
morphism from Q to r is bad. Assume for contradiction that all finite substruc- 
tures of r w containing b \, . . . , b k have a homomorphism to r mapping b \, . . . , bk 
to a tuple not satisfying <p. We now construct a bad homomorphism from r w to 
P, i.e. the images of b \, . . . , bk do not satisfy ip. This contradicts the fact that R 
is invariant under all polymorphisms. 

To this end, consider the following infinite but finitely branching tree. The 
nodes on level n in the tree are the equivalence classes of the bad homomorphisms 
from r w \b 1 ,...,b n to r, where two homomorphisms f± and fi are equivalent if 
fi = 3/2 for some g £ Aut(r). Adjacency between nodes on consecutive levels 
is defined by restriction. By our assumption, for each finite substructure of r w 
there is a bad homomorphism, and thus the tree contains a node on each level. 
By the Ryll-Nardzewski, there are only finitely many nodes at each level. By 
Konig’s Lemma the tree contains an infinite path. We use this path to define a 
bad homomorphism from r w to T. 

We proved by contradiction that there must be a finite substructure Q con- 
taining the vertices b ±, ... ,bk of r w such that all homomorphisms from Q to T 
map bi , . . . , bk to a tuple satisfying ip. Conversely, every mapping / : Q — » r 
such that the tuple (f(bi),...,f(bk)) satisfies in r the monomial Mj can be 
extended to a homomorphism / : T™ r. To see this note that both a\, ... . af 
and (f{bi ), . . . , f{bk)) satisfy Mj and thus both lie in the same orbit of Aut(r). 
Thus we can choose / to be the jth projection combined with the automorphism 
sending (a}, . . . , a 3 k ) to (f{bi), . . . , f(bk))- This completes the proof. □ 
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The clone of polymorphisms of an infinite structure is usually a very com- 
plicated object. However for homogeneous structures of finite signature we have 
the following: 

Proposition 4. Let r be a homogeneous structure with finite relational sig- 
nature. Then the polymorphisms of T are locally generated by countably many 
polymorphisms of T and the automorphism group Aut(T). 

Proof. Let Ui,U2, ■ ■ ■ , Uk be m-tuples from /’. and let V{ = g{uf) for some m-ary 
polymorphism g of T. Depending on m and k there are only finitely many isomor- 
phism types of the substructure of r induced by the elements of iq, U 2 , ■ ■ ■ , 
and the elements Vi , ,Vk- Let F be a set of polymorphisms of arity k contain- 
ing a polymorphism g for each of these isomorphism types in r. 

Now let / be an m - ary polymorphism of r. We show that / is locally gen- 
erated by F U Aut(r). Let B C Dp a set of finite cardinality. By the definition 
of F, the restriction /|b is isomorphic to the restriction of one of the operations 
g £ F. Let n be the isomorphism. By homogeneity of r, ir can be extended to 
an automorphism ir' of r. The identity f\ b = (w 1 g) \ n implies that / is in the 
local closure of Aut{T) U F. □ 

6 A Catalog of Homogeneous Templates 

We consider various homogeneous and cu-categorical structures, some of their 
polymorphisms and their corresponding constraint satisfaction problems. In par- 
ticular we look at the binary structures from the classification project for count- 
able homogeneous structures. 

The Countable Homogeneous Tournaments. We start with the homogeneous 
tournaments, which have been classified by Lachlan [26]. There are a few types 
only: The oriented cycle C 3 , the dense linear order (Q, <), the dense local order 
5(2), and the generic tournament for the set of all finite tournaments. 

The problem CSP(C 3 ) is known to be tractable. The constraint satisfaction 
problem of the dense linear order (Q, <) is computationally equivalent to the 
problem whether a given digraph D is acyclic. This tractable problem can not 
be formulated as a constraint satisfaction problem with a finite template. Note 
that the relational structure (Q, <) is not projective, e.g. 1 , 1 / 1 -} max(a:, y) is 
a polymorphism. The homogeneous tournament which is the Frai’sse-limit of 
all finite tournaments has a trivial constraint-satisfaction problem: Every finite 
tournament lromomorphically maps to it. Thus the only interesting remaining 
case is the dense linear order 5(2) (see [10]). The problem CSP(5(2)) is NP-hard, 
since it can simulate the hard problem Betweenness [19]. 

To define the dense local order 5(2), consider two disjoint dense subsets 
X and Y of the rational numbers Q (i.e., for every rational number we will 
find sequences in X and in Y that converge against this number). Then the 
relation < of 5(2) equals the dense linear order of Q on X U Y, but we reverse 
the edges between the sets X and Y. It is easy to see that 5(2) is the up to 
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isomorphism unique countable tournament that satisfies the following property: 
for every vertex, both in-neighbourhood and out-neighbourhood are isomorphic 
to (Q,<). 

The problem Betweenness can be stated as a constraint satisfaction problem 
CSP(Q, R) where R = {(aq, aq, £ 3 ) C Q 3 | i 2 < ii or aq > £ 3 }- This relation 
can be simulated by the following p.p. -formula in S( 2): 

3u, v : u < Xi A u < X 2 /\ u < X 3 /\ Xi < X 3 A X 2 < v A v < X\ A v < X 3 

The Countable Homogeneous Graphs. Lachlan and Woodrow [27] showed that 
every infinite such graph is either the Rado-graplr, the Fraisse-limit of all K n - free 
graphs, the complete n-partite graphs, or a complement of these. 

The Rado graph R is the Fraisse-limit of the class of all graphs, therefore the 
constraint satisfaction problem for the Rado graph is trivial: Every graph can 
be homomorphically mapped to it. The automorphism group of R has a rich 
structure (see e.g. [9] for an overview). Luczak and Nesetril [29] showed that 
the Rado graph as well as the generic K n - free graphs are projective. This is in 
interesting opposition to the finite case, where projectivity of a core of cardinality 
at least three implies NP-lrardness for the corresponding constraint satisfaction 
problem, which can be seen using Theorem 3 by reduction of fc-colorability. 
Again the constraint satisfaction problem is easy, since every graph which does 
not contain the K n as a subgraph embeds into the generic K n - free graph. The 
only interesting remaining cases are the complete n-partite graphs. Each such 
graph has a homomorphism to the finite graph K n , which has an NP-complete 
constraint satisfaction problem for n > 3, and is tractable for n < 2. 

Remark: It is perhaps interesting to note that we can use the same results to 
give a new and short proof that almost all constraint satisfaction problems are 
NP-complete, if the template is a finite undirected graph. The fact that almost 
all graphs are strongly projective (Nesetril and Luczak [29]) combined with The- 
orem 3 shows that almost all graphs can simulate the inequality-relation. This 
implies NP-lrardness of the constraint satisfaction problem on a domain of size 
at least three. Note that we did not use the involved proof of the dichotomy for 
graphs in [20]. 

Countable Homogeneous Digraphs. The countable homogeneous digraphs have 
been classified by Clrerlin [10], and there are uncountably many. But the clas- 
sification shows that the age of all but a countable well-understood class of 
homogeneous digraphs has the strong free amalgamation property. Therefore it 
is easy to see that CSP(T) is the set of all (weak) subgraphs of T, and that the 
set of constraint satisfaction problems is also uncountable. Thus there are homo- 
geneous digraphs with an undecidable constraint satisfaction problem. However, 
if we consider the homogeneous structures T that have a finitely axiomatizable 
age and free amalgamation, it is easy to see that CSP(r) is tractable. The re- 
maining homogeneous digraphs we described by Cherlin and its straightforward 
to determine the complexity of their constraint satisfaction problems ( [10]; note 
that CSP(S( 2)) = CSP(S(3)) = CSP{P{ 3))). 
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To summarize: Every homogeneous digraph problem is either undecidable, NP- 
complete or tractable. Note that this does not say anything about the mentioned 
constraint satisfaction problems for finite digraphs, since the corresponding ho- 
mogeneous templates have a larger signature. 

Tree Descriptions. The following constraint satisfaction problem was studied 
in [11]. Given: a finite structure S over the signature r = { — >•, _L} containing 
two binary relation symbols. Question: can we find a rooted forest F on the 
vertices of S such that every edge from — »• lies in the transitive closure of F, 
and every edge J_ does not? Let us call such r-structures S solvable. 

Using the notion of dense trees (see [15]) we can formulate this problem (and 
related problems) as a constraint satisfaction problem CSP(T) for appropriate 
r. This means, it is possible to find an w-categorical structure T such that 
CSP(T) contains precisely the solvable r-structures. The problem can be de- 
cided by a polynomial time algorithm [4]. The graph algorithm presented there 
can be generalized to various constraint satisfaction problems for tree-like struc- 
tures. We already mentioned that every w-categorical structure T can be made 
homogeneous by expanding the signature and T by some first-order definable 
relations. In the case of countable dense trees this is possible by an additional 
ternary relation [16]. 

Allen’s Interval Algebra and Its Fragments. Consider as a base set D the closed 
intervals on the rational numbers, and the following binary relations on these 
intervals: Let x = ( x~,x + ) and y = (y~,y + ) be closed intervals. We define 

— The interval x precedes y, x p y, iff x + < y~ ■ 

— The interval x overlaps y, x o y, iff x~ < y~ < x + and x + < y + . 

— The interval x is during y, x d y 1 iff y~ < x~ and x + < y + . 

— The interval x starts y, x s y, iff x~ = y~ and x + > y~ . 

— The interval x finishes y, x f y 1 iff x + = y + and x~ > y~ . 

— The interval x meets y, x m y, iff .t + = y~ . 

— The interval x equals y, x = y, iff x~ = y~ and x + = y + . 

For any set of relations derived from p.o, d,s, m,f and = by union and comple- 
mentation the corresponding countable relational structure is w-categorical. The 
constraint satisfaction problems for these structures have a dichotomy [24, 30] . 
Whereas for finite templates all known hard constraint satisfaction problems 
are hard because they can express the relation one-in-three-sat, here again the 
problem Betweennness [19] is used to prove hardness. 

7 Related Work 

We want to relate our work to previous unifying approaches to constraint sat- 
isfaction. The literature on combining constraint solving [25, 2] has a broader 
view on constraint satisfaction, and also uses tools from universal algebra. How- 
ever they are concerned mainly with decidability questions of more expressive 
constraint languages. 
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Various logical formalisms have been proposed to formulate constraint sat- 
isfaction problems as the model-checking problems of certain higher-order log- 
ics [17]. On of them is the class SNP, the class of existential second-order formulas 
with a universal first-order part, which might use the relation symbols of the 
given signature r and existentially quantified relation symbols. One of the results 
in [17] says that every problem in NP is equivalent to a problem in SNP, even if 
the relation symbols from r occur only negatively in <P (in which case the class 
is called monotone SNP). To answer the question whether the model checking 
problem of a given monotone SNP formula can be described as a constraint satis- 
faction problem with a countable homogeneous structure, the following problem 
posed by Clrerlin [10] is of importance: 

Problem 1. Let r be a relational signature and N a finite set of finite r-structures. 
Give a good criterion for Forb(7 \T) to be an amalgamation class. 

8 Conclusion 

Constraint satisfaction problems with countable homogeneous templates cover 
several classes of constraint satisfaction problems that were investigated in the 
literature. Examples are tree description languages and subalgebras of Allen’s 
interval algebra. Using the classification of homogeneous digraphs we can deter- 
mine the complexity of the constraint satisfaction problems for all homogeneous 
digraphs. For larger signatures the classification of homogeneous structures is 
a difficult task. To study the complexity of a constraint satisfaction problem 
CSP(T) it is useful to know whether a given first-order relation is p.p.-definable 
over r. In Section 5 we show that p.p. -definability of a first-order definable rela- 
tion is characterized by a countable set of polymorphisms. We ask the following 
question: 

Problem 2. Let N be a finite set of relational structures over signature r such 
that Forb(N) is the age of a homogeneous structure r. Given a first-order formula 
ip over t, is it decidable whether ip is on r equivalent to a primitive positive 
formula? 

The techniques to describe p.p.-definability might be applied to simplify the 
technical and intricate proofs in the classification of the tractable fragments of 
Allen’s interval algebra. 
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Abstract. The standard constraint satisfaction problem over an arbi- 
trary finite domain can be expressed as follows: given a first-order sen- 
tence consisting of a conjunction of predicates, where all of the variables 
are existentially quantified, determine whether the sentence is true. This 
problem can be parameterized by the set of allowed constraint predicates. 
With each predicate, one can associate certain predicate-preserving oper- 
ations, called polymorphisms, and the complexity of the parameterized 
problem is known to be determined by the polymorphisms of the al- 
lowed predicates. In this paper we consider a more general framework 
for constraint satisfaction problems which allows arbitrary quantifiers 
over constrained variables, rather than just existential quantifiers. We 
show that the complexity of such extended problems is determined by 
the surjective polymorphisms of the constraint predicates. We give ex- 
amples to illustrate how this result can be used to identify tractable and 
intractable cases for the quantified constraint satisfaction problem over 
arbitrary finite domains. 



1 Introduction 

The constraint satisfaction problem (CSP) provides a general framework in 
which a wide variety of combinatorial problems can be expressed in a natu- 
ral way [12,28,37]. A constraint satisfaction problem instance can be viewed as a 
collection of predicates on overlapping sets of variables. The aim is to determine 
whether there exist values for all of the variables such that all of the specified 
predicates hold simultaneously. The standard constraint satisfaction problem can 
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be parameterized by restricting the set of allowed predicates which can be used 
as constraints. The problem of determining (up to complete classification) the 
complexity of the CSP (and its many variants) for all possible parameter sets 
has attracted much attention, partly because constraint satisfaction problems 
play an important role in Artificial Intelligence [28,37], and partly because they 
“present a reasonably accurate bird’s-eye view on complexity theory” [12] . One 
important outcome of research in this direction has been the design of sophis- 
ticated new polynomial-time algorithms for solving a wide variety of problems 
(see, e.g., [5,6,15]). Another outcome has been progress with some important is- 
sues in complexity theory, such as the discovery of large subclasses of complexity 
classes that avoid intermediate complexity (e.g., dichotomy results in the case 
of NP, see [4,6,17,35]). 

For the Boolean (i.e., two- valued) case, the complexity of the standard con- 
straint satisfaction problem has been studied from the above perspective [35], as 
well as a number of related problems, including quantified and counting prob- 
lems, maximum (and minimum) satisfiability, generating all solutions, optimizing 
the number of positive truth values in a solution (all of these are in [12]), min- 
imal satisfiability [25], deciding equivalence and isomorphism of instances [2], 
maximizing Hamming distance between solutions [13], finding lexicographically 
minimal (or maximal) solutions [34], finding a second solution [22], inverse sat- 
isfiability [23], and solving random instances [11]. 

Analysing the complexity of non-Boolean CSPs is a significantly more diffi- 
cult task: these problems usually withstand a direct combinatorial approach, and 
so require more involved techniques. A far-reaching approach via graph theory, 
logic and games has been developed in [16,17,27]. However, the most successful 
approach so far has been the algebraic approach developed in [8,20,21]. This 
approach has led to a number of new results (see, e.g., [5,7,9,15,16]), and has 
culminated (so far) in a complete classification of the complexity of parameter- 
ized CSPs for the tlrree-valued case [4] and for the case when all unary predicates 
are available [6]. 

The standard CSP can be expressed as follows: given a first-order sentence 
consisting of a conjunction of predicates, where all of the variables are exis- 
tentially quantified, determine whether the sentence is true. One of the most 
natural generalisations of this framework is to consider the quantified constraint 
satisfaction problem (QCSP), in which universal quantifiers are allowed in the 
sentence, as well as existential quantifiers [12,14]. This generalisation greatly 
increases the expressive power of the framework, but also increases the complex- 
ity of deciding whether an arbitrary instance is true — from NP-complete to 
P SPAC E-complete . 

Boolean QCSP (also known as QSAT or QBF) and some of its restrictions 
(such as Q3SAT) have always been standard examples of PSPACE-complete 
problems [19,29,35]. For some parameter sets, Boolean QCSP has been shown 
to be tractable: for all binary predicates in [1], and for Horn predicates in [26]. 
Finally, a complete classification for the Boolean case was obtained in [12,14]. 
For the non-Boolean case, some superpolynomial algorithms were given in [38]. 
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However, to the best of our knowledge, only trivial results are known about the 
complexity of non-Boolean QCSPs. 

In this paper we extend the algebraic approach for the first time to the 
more general framework of the quantified constraint satisfaction problem over an 
arbitrary finite set of values. We show that certain algebraic objects (surjective 
polymorphisms) determine the complexity of the QCSP for any given choice 
of parameter set. We then give examples to show how this result can be used 
to identify quantified constraint satisfaction problems lying in more restricted 
complexity classes such as NL and PTIME. Finally, we obtain the first complete 
classification result for a class of general (non-Boolean) quantified constraint 
satisfaction problems. 

2 Preliminaries 

Throughout the paper we use the standard correspondence between predicates 
and relations: a relation consists of all tuples of values for which the corre- 
sponding predicate holds. We will use the same symbol for a predicate and its 
corresponding relation, since the meaning will always be clear from the context. 
We will use R ^ to denote the set of all m - ary relations (or predicates) over a 
set D , and Rd to denote the set Um=i ■ 

Definition 1. Let r C R D . An instance of CSP(T') is a first-order sentence 
3x\ . . . 3 xi (giA. . .A g q ), where each Qi is an atomic formula involving a predicate 
from r, and X\ ,...,xi are the variables appearing in the Qi . The question is 
whether the sentence is true. 

The predicates Qi appearing in an instance will be referred to as constraints, 
since each of them restricts the possible models for the instance in some way. 

In addition to predicates and relations we will also consider arbitrary op- 
erations on the set of values. We will use Offi to denote the set of all n-ary 
operations on a set D (that is, the set of mappings f:D n —> D ), and Od to 
denote the set U^Li - 

Any operation on D can be extended in a standard way to an operation on 
tuples over D, as follows. For any operation / £ 0^\ and any collection of 
tuples Gti, a 2 , . . . , a n £ D m , where Gq = (Gq(l), . . . , a,(m)) ( i = 1 . . . n), define 
/(ai, . . . , a„) to be ( /(ai(l), . . . , a n (l)), . . . , /(ai(m), . . . , a n (m)) ). 

Definition 2. For any relation q £ Rp 2 \ and any operation f £ . if 

/(ai, . . . , a n ) £ q for all choices of a \, . . . , a n £ q, then q is said to be invariant 
under f, and f is called a polymorphism of q. 

The set of all relations that are invariant under each operation from some set 
C C Od will be denoted Inv(C). The set of all operations that are polymorphisms 
of every relation from some set r C R D will be denoted Pol(T). We remark that 
the operators lnv() and Pol() form a Galois correspondence between f?£> and Od 
(see Proposition 1.1.14 of [32]). A basic introduction to this correspondence can 
be found in [30] , and a comprehensive study in [32] . 
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By considering certain properties of the set lnv(Pol(F)), the following result 
was obtained in [20]. 

Theorem 1. Let A and A be sets of predicates over a finite set, such that 
A is finite. If Pol(A) C Pol(A) then CSP(A) is polynomial-time reducible to 
CSP(A)- 

This result shows that, when the set of values is finite, finite sets of predicatess 
with the same polymorphisms give rise to constraint satisfaction problems which 
are mutually reducible. In other words, the complexity of CSP(A) is determined 
by the polymorphisms of F . 

A number of results on the complexity of constraint satisfaction problems 
have been obtained via this approach (e.g., [4,5,6,7,8,9,15,16,20,21]). For exam- 
ple, Schaefer’s Dichotomy Theorem [35], when appropriately re-stated, easily 
follows from Theorem 1 and well-known algebraic results [33] (see [20]). 

Theorem 2 ([35]). For any r C F{ 0 ,i}> CSP(F) is in PTIME when Pol(F) 
contains at least one of the following: 

— the constant 0 or constant 1 operations, 

— the conjunction or disjunction operations, 

— the affine operation x — y + z (mod 2), 

— the majority operation {x V y) A (x V z) A (y V z) . 

In all other cases CSP(-T) is NP -complete. 

In this paper we consider the more general framework of the quantified con- 
straint satisfaction problem, which is defined as follows. 

Definition 3. Let F C R D . An instance o/QCSP(F) is a first-order sentence 
QiX\ . . . QiXi ( Q\ A ... A g q ), where each Qa is an atomic formula involving a 
predicate from A X\, . . . ,Xi are the variables appearing in the Qi, and Qi, . ■ ■ ,Qi 
are arbitrary quantifiers. The question is whether the sentence is true. 

Clearly, an instance of CSP(F) corresponds to an instance of QCSP(F) in which 
all the quantifiers happen to be existential. 

For any finite set D , and any set of relations F C R D , one can use an exhaus- 
tive search algorithm to show that QCSP(F) is in P SPACE. The complexity 
of QCSP(-T) has been completely characterized in the Boolean case [12,14]. 

Theorem 3 ([12,14]). For any F C 7?{o,i}) QCSP(F) is in PTIME when 
Pol(F) contains at least one of the following: 

— the conjunction or disjunction operations, 

— the affine operation x — y + z (mod 2), 

— the majority operation (x V y) A (x V z) A (y V z) . 

In all other cases QCSP(F) is PSPACE-complete. 

Corollary 1. QCSP({A}) is PSPACE-complete, where N is the ternary “not- 
all-equal” relation on {0, 1}, defined by N = {0, l} 3 \ {(0, 0, 0), (1, 1, 1)} 
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Even though Theorem 3 is stated here using polymorphisms, it was proved using 
a combinatorial rather than an algebraic approach, and that method of proof 
does not easily generalize to larger sets of values. In the remaining sections we 
introduce an algebraic approach which enables us to systematically analyse the 
complexity of quantified constraint satisfaction problems over an arbitrary finite 
set D. 

3 Reduction in QCSP 

The next result is the main result of this paper. It shows that, for quantified 
constraint satisfaction problems, surjective polymorphisms play a similar role to 
that played by arbitrary polymorphisms for ordinary CSPs (cf. Theorem 1). Let 
s-Pol(P) denote the set of all surjective operations from Pol(P). 

Theorem 4. Let Pi and P 2 be sets of predicates over a finite set, such that Pi 
is finite. //s-Pol(P 2 ) C s-Pol(Pi), then QCSP(Pi) is polynomial-time reducible 
to QCSP (P 2 ). 

This theorem follows immediately from the next two propositions whose proofs 
can be found in [3]. 

Definition 4. For any set P C R D , the set [P] consists of all predicates that 
can be expressed using 

1. predicates from P, together with the binary equality predicate =75 on D, 

2. conjunction, 

3. existential quantification, 
j. universal quantification. 

Proposition 1. Let Pi and P 2 be sets of predicates over a finite set, such that 
Pi is finite. If [Pi] C [P 2 ], then QCSP(Pi) is polynomial-time reducible to 
QCSP (P 2 ). 



Proposition 2. For any set of predicates P over a finite set, [P] = lnv(s-Pol(P)). 

Note that this proposition intuitively means that the expressive power of con- 
straints in QCSP is determined by their surjective polymorphisms. Hence, in 
order to show that some relation g belongs to [P], one does not have give an 
explicit construction, but instead one can show that g is invariant under all 
surjective polymorphisms of P, which often turns out to be significantly easier. 

We remark that the operators lnv() and s-Pol() used in Proposition 2 form 
a Galois connection between Rp and the set of all surjective members of Od 
which has not previously been investigated (see, e.g., survey [31]). 

4 Intractable Cases 

In this section we will use Theorem 4 to show that certain small sets of predicates 
give rise to quantified constraint satisfaction problems that are intractable. In 
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particular, we will show that QCSP(-T) can be PSPACE-complete even in some 
cases where CSP(P) is trivial. 

We first establish that a particular QCSP problem is PSPACE-complete. 
This problem corresponds to a generalized form of the standard GRAPH-|D|- 
COLORABILITY problem [19,29] (which can be expressed as CSP({^d}) where 
is the binary disequality predicate on D). 

Proposition 3. QCSP({^d}) is PSPACE-complete when \D\ > 3. 

Proof. By reduction from QCSP({A}), where N is the ternary not-all-equal 
predicate on a 2-element set, as defined in Corollary 1. For details see [3]. 



Theorem 5. For any finite set D with \D\ > 3, and any r C R D , if every 
f € s-Pol(F) is of the form f(xi, . . . , x n ) — g{xi) for some 1 < i < n and some 
permutation g on D , then QCSP(T) is PSPACE -complete. 

Proof. By Lemma 1.3.1 (b) of [32], Pol({^£>}), for \D\ > 3, consists of all oper- 
ations of the form described in the Theorem. Hence Pol({y^£>}) = s-Pol({y^£>}), 
and we can apply Theorem 4 and Proposition 3. 

The next example uses this result to show that even predicates that give 
rise to trivial constraint satisfaction problems can give rise to intractable quan- 
tified constraint satisfaction problems. This can happen because non-surjective 
operations, which may guarantee the tractability of the CSP, do not affect the 
complexity of the QCSP. 

Example 1. Let t s be the s-ary “not-all-distinct” predicate holding on a tuple 
(ai, . . . , a s ) if and only if |{ai, . . . , a s }| < s. Note that t s D {(a, . . . , a) | a € D}, 
so every instance of CSP({r s }) is trivially satisfiable by assigning the same value 
to all variables. 

However, by Lemma 2.2.4 of [32], the set Po I ( { z? | } ) consists of all non- 
surjective operations on D, together with all operations of the form given in The- 
orem 5. Hence, {t|_d|} satisfies the conditions of Theorem 5, and QCSP({t|£>|}) 
is PSPACE-complete. Similar arguments can be used to show that QCSP({r s }) 
is PSPACE-complete, for any s in the range 3 < s < \D\. 



5 Tractable Cases 

In spite of the results of the previous section, it is possible to identify sets of 
predicates which give rise to tractable QCSP problems. In this section we identify 
and describe two families of predicates of this kind. 

5.1 Mal’tsev Predicates 

An operation m(x,y,z ) on D is said to be Mal’tsev if it satisfies the identities 
m(x, y , y) = m(y, y, x) = x for all x, y. For example, for an Abelian group G, the 
operation f{x, y, z) = x — y + z, called the affine operation of G, is a Mal’tsev 
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operation. Relations invariant under the affine operation of a finite Abelian group 
play a significant role in the study of the complexity of the standard constraint 
satisfaction problem [5,17,20,21]. 

Throughout this subsection, let r = lnv({m}). By developing and using a 
deep algebraic structural theory, a sophisticated polynomial-time algorithm for 
deciding CSP(T') was given in [5]. Moreover, it was proved there that a satisfying 
assignment to any CSP(T') instance can also be found in polynomial time. We 
will show now that QCSP(T) can be solved using these algorithms. 

Theorem 6. Let m be an arbitrary Mal'tsev operation on D. The problem class 
QCSP(lnv({m})) is in PTIME. 

Proof. The proof is based on the following lemma. 

Lemma 1. Let V = QiX\ . . . Q n x n <P(xi, . . . ,x n ) be an instance o/QCSP(T), 
and j the maximal index such that Qj is the universal quantifier. 

(1) If &'(xi , . . . , Xj-i) = \/xj3xj + 1 . . . 3x n x ± , . . . , x n ) is satisfiable then, for 
any model (ci, . . . ,c n ) of <P, the tuple (ci, . . . , Cj_i) is a model of <P' . 

(2) V is true if and only if so is V' = V\ A V 2 where 

Pi = QiXi • ■ • Qj-ix j - 1 3x j 3x j+1 . . . 3x n L>(xi, . . . ,x n ), 

V 2 = 3a:i . . . 3xj-\Mxj3xj + i . . . 3x n <L>{ x \ , . . . , x n ). 

Proof. (1) Let (ai, . . . , cij_i) be a model for <L ' , and {a b , . . . ,a b n ), b £ D, its 
extensions such that a b = ( 01 , . . . , dj-i, a b , ... , a b n ) is a model of <L> and a b = b. 

Take an arbitrary model c = (ci, . . . , Cj-i, Cj , . . . , c n ) of L>. We need to 
show that (ci, . . . ,Cj_i) is a model of T>' . Fix an arbitrary b £ D and let 
d = (di, . . . , d n ) be equal to m{a b , a c i , c). Proposition 2 implies that the pred- 
icate defined by T> is invariant under m, so d is a model of P, too. Moreover, 
we have dj = ?n(aj, aj, cf) = Ci for i £ {1, . . . , j — 1} and dj = m(a b , aj , Cj) = 
m(b , Cj,Cj ) = b. Thus, (ci, . . . , Cj- 1 ) is a model of L>' . 

(2) Obviously, if V is true then V' is also true. The inverse implication easily 
follows from part (1). Indeed, since V 2 is true, we can apply (1); then, (1) 
implies that every tuple (ci, . . . , Cj- 1 ) that can be extended to a model of can 
be extended so with Cj being any given element. Thus, since Pi is true, so is V. 

Repeatedly applying Lemma 1(2), one can show that every instance of 
QCSP(-T) can be decomposed into a conjunction of instances which have the 
same quantifier-free part and each contain at most one universal quantifier. 
Moreover, if we can find a model of then part (1) of the lemma implies that 
initial segments of this model can be used in deciding whether each of the in- 
stances is true. It remains to notice that, as is easy to check, fixing a value for 
any variable in a predicate from P gives another predicate invariant under m 
which implies that 3xi+\ . . . 3x n <P(c \, . . . , c;_ 1 , b, xi+ 1 , . . . , x n ) is also an instance 
of CSP(lnv({?n})). Now it follows that the algorithm shown in Fig. 1 is correct. 
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Input V = 2i®i . . . Q„x n &{x i, . . . , x n ) where $ = Qi A . . . A g q , and q u . . . , g q £ F . 
Output ‘YES’ if V is true, ‘NO’ otherwise. 

Step 1 Solve the instance 3xi . . . 3x„ 

Step 2 If $ has a model then find one, (ci, . . . , c„), 

else OUTPUT(‘NO’) and STOP. 

Step 3 For l = n, . . . , 1 do 

If Qi is the universal quatifier then 
For each b € D do 

Solve the instance 3xi + i . . . 3x n d?(ci , . . . , c;_i, b, xi + 1 , . . . , x„). 

If the instance has no solution then OUTPUT(‘NO’) and STOP, 
enddo 
enddo 

Step 4 OUTPUT(‘YES’). 

Fig. 1. Algorithm for deciding QCSP(F) for Mal’tsev F 



This algorithm uses k\D\ + 1 applications of an algorithm solving CSP(T'), 
where k is the number of universal quantifiers in an instance, and one application 
of an algorithm finding a model. Now we can use the general polynomial-time 
algorithms developed in [5]. This finishes the proof of Theorem 6. 

Note that if the operation m has a special form then the method described 
above may lead to better algorithms. For example, let G be a finite Abelian 
group, with affine operation /, and unit element 0, and let r be a set of relations 
over G which are invariant under /. Note that, by straightforward algebraic 
manipulation, it can be shown that any (n-ary) relation invariant under / is a 
coset of a subgroup of the group G n . 

In the simplest case, when the order of G is prime, G can be considered as a 
prime field, and hence G n as a vector space over G. In this case, each coset of a 
subgroup of G n is a linear manifold, and it is well-known that such manifolds can 
be defined by systems of linear equations, whose coefficients are elements of the 
field G. Therefore, in this case, QCSP(T) can be considered as the problem of 
solving quantified linear systems over G, which can be done by applying standard 
techniques from linear algebra, or by using them in the above algorithm. 

5.2 Implicational Predicates 

Our second example of predicates which give rise to tractable quantified con- 
straint satisfaction problems concerns predicates that are invariant under an 
operation known as the dual discriminator. These problems can be viewed as 
generalized Q2SAT, and our algorithm generalizes and extends the algorithm for 
Q2SAT given in [1]. 

Definition 5. For any finite set D , the dual discriminator operation d on D, is 
given by 

u \ (y if V = z 

d(x,y,z) = < ., 

x otherwise 
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Note that, in the special case when D = {0,1}, the dual discriminator is exactly 
the majority operation mentioned in Theorems 2 and 3. 

Theorem 7. Let D be a finite set, and let d be the dual discriminator operation 
on D. The problem class QCSP(lnv({d})) is in NL. 

To establish this result, we consider a graph structure associated with any in- 
stance of a constraint satisfaction problem, which is sometimes known as the 
“microstructure graph” [18]. For any instance V of QCSP, with variables V and 
set of values D , the microstructure graph of V is the graph ( IT, E), where the set 
of nodes W, is the subset of pairs VxD representing all possible assignments 
of values to individual variables which are compatible with the constraints on 
those variables, and the set of edges, E, is the set of all assignments to pairs 
of variables which are compatible with the constraints on those pairs. In other 
words, E is the set of all (ordered) pairs of nodes ((«*, a), ( Vj,b )) € W x W such 
that Vi ^ Vj and the partial assignment v t = a, Vj = b is compatible with each 
individual predicate in V . 

We will call an arc ((v,:, a), (vj. b)) in the microstructure graph of V implica- 
tive if it is the unique arc in E with first component (v-i, a) and second component 
( Vj,b' ), for some value b' . If we remove all arcs from the microstructure graph 
of V which are not implicative, then we obtain a directed graph which will be 
called the implication graph of V, and denoted I('P). 

Note that the arcs in the implication graph I('P) represent logical impli- 
cations which can be made about the possible models for the conjunction of 
predicates in V. If any model gives value a to variable ty, and I('P) contains the 
arc (( Vi, a ), (vj,b)), then that model must also give the value b to the variable 
Vj. By the transitivity of implication, we obtain the same conclusion if there is 
any path from (uj, a) to ( Vj , b) in I('P). 

For some sets of predicates the implication graph has certain additional prop- 
erties, which can be used to obtain further restrictions on the possible models. 
We define one such property as follows. 

Definition 6. For any QCSP instance V, the implication graph I('P) will be 
called invertible if whenever there is a path from a node ( Vi,a ) to a node ( Vj,b ), 
then for each node ( Vj,b ') with b' ^ b there is a path from ( Vj,b' ) to ( Vi,a ') for 
some a! ^ a (which may depend on b'). 

The second property we define holds when the implication graph captures all 
the restrictions on the possible models. In other words, it says that a given 
assignment is a model for the conjunction of predicates in V whenever it satisfies 
all of the implications encoded in the implication graph of V . 

Definition 7. Let V be a QCSP instance of the form Q\X\ . . . QiXi <L>. The 
implication graph I('P) will be called sufficient if a given assignment a is a model 
of whenever l(V) contains the node (v,a(v)) for each variable v, and does not 
contain an arc ((v,:, <t(u*)), (vj, b)), with b ^ cr(vj). 

We will now show that, when the implication graph for an instance is both invert- 
ible and sufficient, then there is a non-deterministic logarithmic-space algorithm 
for that instance. 
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Proposition 4. There is a non- deterministic logarithmic-space algorithm that 
decides any QCSP instance V whose implication graph I('P) is both invertible 
and sufficient. 

Proof. See [3]. 

Finally, we show that both of these properties hold for all predicates that are 
invariant under the dual discriminator. 

Proposition 5. Let D be a finite set, and let d be the dual discriminator oper- 
ation on D. For any instance V in QCSP(lnv({(i})), the implication graph l(V) 
is invertible and sufficient. 

Proof. It was shown in [21] that the predicates invariant under d are precisely 
the predicates which can be expressed as conjunctions of binary predicates, each 
of which is of the form of a “0/1/all” binary relation, as described in [10]. Such 
predicates are also described in [24], where they are referred to as “implica- 
tional” . 

The defining characteristic of a “0/1/all” relation on a pair of variables is 
that for both variables each value is either disallowed, or else allowed with either 
precisely one value, or all possible values, for the other variable [10]. Hence, it 
is straightforward to show that they give rise to implication graphs which are 
invertible. (In fact, an equivalent statement appears as Proposition 2.3 in [24].) 

Furthermore, it is straightforward to verify that, in any problem instance 
whose constraints are specified by such relations, the restrictions imposed by 
these constraints on possible assignments are precisely those captured by the 
implication graph of the instance. Hence this implication graph is sufficient. 



6 A Trichotomy Result 

In this section we apply results from the previous sections to obtain a complete 
classification of complexity of QCSP(T) in those cases where r contains the set 
A of all graphs of permutations. Recall that the graph of a permutation 7 r is 
the binary relation {(x,y) | y = 7r(a:)} (or the binary predicate tv(x) = y). The 
complexity of CSP(T) for such sets r is completely classified in [15]. 

We will need two new surjective operations: 

— The k- ary near projection operation, 

, , . f Xi if Xi, . . . , Xu are all different, 

l k ( Xl ,...,x k ) = | ^otherwise. 

— The ternary switching operation, 

{ x if y = z, 
y Hx = z, 
z otherwise. 
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Proposition 6. If T C R D , \D\ > 3, and 1 \d\ £ s-Pol(P) then QCSP(-T) is 
polynomial-time reducible to CSP(-T') where r' = lnv(Pol(P)). In particular, 
QCSP(r) is in NP. 

Proof. See [3]. 

Theorem 8. Let A C r C R D , and \D\ > 3. 

- //s-Pol(P) contains the dual discriminator d, or the switching operation s, 
or an affine operation, then QCSP(P) is in PTIME; 

- else, if s-Po\(r) contains 1\d\, then QCSP(P) is NP- complete; 

- else QCSP(T) is PSPACE -complete. 

Proof. Chapter 5 of [36] shows that, either s-Pol(P) consists of all projections 
(that is, all functions of the form f{x i, . . . ,x n ) = Xi for some 1 < i < n), or 
else s-Pol(P) contains the dual discriminator operation, d, or the near-projection 
operation, l\ D \, or (when |D| G {3,4}) an affine operation. If s-Pol(P) consists of 
all projections then, by Theorem 5, QCSP(T) is PSPACE-complete. If s-Pol(T) 
contains d or an affine operation then, by Theorem 6 or Theorem 7, QCSP(-T) 
is tractable. 

Suppose that s-Pol(T) contains l\n\. Then, by Proposition 6, this problem 
is polynomial-time reducible to CSP(T , ) ) where P' = lnv(Pol(/ n )). If s-Pol(T) 
contains s or d then clearly so does Pol(T'). It follows from the results of [15] 
that in this case CSP(P / ) is tractable, and hence so is QCSP(P). If s-Pol(T) 
contains neither s nor d then, by [15], CSP(T') is NP-complete. Since, obviously, 
CSP(T) is polynomial-time reducible to QCSP(P), and QCSP(T) is in NP, the 
result follows. 

Note that, for any fixed finite set D , the conditions in Theorem 8 can be 
efficiently checked. 

7 Conclusion 

We have shown that the algebraic theory relating complexity and polymor- 
phisms, which was originally developed for the standard constraint satisfaction 
problem allowing only existential quantifiers, can be extended to deal with the 
more general framework of the quantified constraint satisfaction problem. 

In this extension of the theory it turns out that it is the surjective poly- 
morphisms of the predicates used in problem instances which determine the 
complexity of the corresponding problems. Using this information we have been 
able to identify subproblems of the quantified constraint satisfaction problem 
lying in (or complete for) some standard complexity classes, and to obtain a 
complete classification of complexity for certain special cases. We expect that 
by developing the results and ideas from this paper one will be able to success- 
fully build a far-reaching theory linking algebraic properties of relations with the 
computational complexity of certain associated problems, just as it was in the 
case of ordinary constraint satisfaction problems. 

Acknowledgement The authors thank Reinlrard Posclrel who helped launch 
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The aim of this tutorial is to give an overview on the state-of-the-art in infinite- 
state model checking and its applications. 

We present a unified modeling framework based on word/term rewrite sys- 
tems and show its relevance in reasoning about several important classes of 
systems (communication protocols, parametrized distributed algorithms, multi- 
threaded programs, etc). 

Then, we address the verification problem of various classes of such models. 
We consider especially the basic problem of reachability analysis which consists 
in computing a (finite) representation of the (potentially infinite) set of reachable 
configurations. 

We show the main existing approaches to tackle this problem: 

— Specialized constructions for several significant classes of models for which 
this problem is shown to be decidable, 

— General principles to prove the termination and the completeness of the 
iterative computation of the reachability sets for classes of models, 

— Generic constructions and fixpoint acceleration techniques, leading to pow- 
erful semi-algorithms applicable to general classes of models in order to com- 
pute exact/approximate reachability sets. 
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Abstract. We introduce a fixpoint extension of Hintikka and Sandu’s IF 
(independence-friendly) logic. We obtain some results on its complexity 
and expressive power. We relate it to parity games of imperfect informa- 
tion, and show its application to defining independence-friendly modal 
mu-calculi. 



1 Introduction 

Independence-friendly logic [7] is a logic introduced by Hintikka and Sandu 
which gives an alternative account of branching quantifiers (Henkin quantifiers) 
in terms of games of imperfect information. It allows the expression of quan- 
tifiers where the choice must be independent of specified earlier choices; it has 
existential second-order power. In the last few years, it has attracted study from 
both philosophical logicians and mathematical logicians. Also, in earlier work, 
we have argued that its modal analogues have a role to play in concurrency 
theory. (See [2] and [3] for discussions of this role and its relation to other work 
in concurrency theory.) 

Given a first-order logic, or a logic like IF that is supposed to look first- 
order (even though it isn’t), it is natural to want to add fixpoint operators. One 
motivation is just the mathematical interest of studying inductive definability 
in many contexts; a more computer-science-based motivation is the desire to 
be able to produce an IF analogue of the modal mu-calculus, a popular and 
interesting temporal logic. 

In [2], we asserted that using the semantics given to IF by Hodges [8], it was 
possible to define an IF fixpoint logic. In this article, we give a detailed definition 
of IF least fixpoint logic (which, typically of IF logics, is a little more subtle than 
one first thinks), and then study it. 

In section 2, we deal with the preliminaries, the existing syntax and semantics 
of IF logic. Sections 3, 4 and 5 are the main part of the paper; in section 3 we 
give the detailed definitions of IF fixpoint logic and its semantics; in section 4 
we give a couple of interesting examples; and in section 5 we establish some 
partial results on complexity and expressive power. Then in section 6 we return 
to the game-theoretic roots of IF by giving a suitable notion of parity game of 
imperfect information, which gives an alternative semantics for IF fixpoint logic. 
Finally, in section 7 we briefly sketch the application to IF modal mu-calculus 
that was one of the original motivations for looking at IF with fixpoints. 
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2 IF-FOL Syntax and Semantics 

First of all, we state one important notational convention: we take the scope 
of all quantifiers and fixpoint operators to extend as far to the right as possible. 

For the purposes of this article, we will use only a sublanguage of IF-FOL 
(sometimes just IF for short). The full languages advocated by Hintikka and 
analysed by Hodges and others include the possibility of conjunctions and dis- 
junctions that are independent of previous quantifiers. These operators do not 
introduce inherently new problems, but they do introduce some additional com- 
plexity (and space) in defining the semantics. We will therefore ignore them, and 
consider only the independent quantifiers; the interested reader can use [8] to 
put back the independent junctions. 

One of the more tedious features of IF-FOL is the need to be more pedantic 
than usual in keeping track of free variables etc., as not all the things one takes for 
granted in usual logic are true in IF-FOL. When introducing fixpoint operators, 
even more care is needed, and we shall therefore give the semantics even more 
pedantically than Hodges did. 

Definition 1 . Assume the usual FOL set of proposition (P,Q etc.), relation 
(R,S etc.), function (f,g etc.) and constant (a,b etc.) symbols, with given ar- 
ities. Assume also the usual variables v, x etc. We write x, v etc. for tuples of 
variables, and similarly for tuples of other objects; we use concatenation of sym- 
bols to denote concatenation of tuples with tuples or objects. 

For formulae and terms t, the (meta-level) notations <fi[x\ and f[x] mean 
that the free variables off) ort are included in the variables x, without repetition 1 . 

The terms of IF-FOL are as usual constructed from variables, constants and 
function symbols. The free variables of a term are as usual ; the free variables of 
a tuple of terms are the union of the free variables of the terms. 

We assume equality = is in the language, and atomic formulae are defined 
as usual. The free variables of the formula R(t) are those oft. 

The compound formulae are given as follows: 

Conjunction and disjunction. If f>[x\ and if>[y\ are formidae, then (f> V 
ip)[z\ and (</> A tp)[z\ are formidae, where z is the union of x and y. 

Quantifiers. If f>[y , x] is a formula, x a variable, and W a finite set of 
variables, then (\/x/W.<j))[y\ and (3x/W. <t>)[y\ are formidae. If W is empty, we 
write just Vx. <j> and 3x. <fi. 

Game negation. If <f>[x\ is a formula, so is (~(^)[x]. 

Flattening. If <j>[x\ is a formula, so is (j. <j>)[x\. 

(Negation. -■ f> is an abbreviation for ~ f <f>.) 



Definition 2. IF-FOL + is the logic in which j. and -> are applied only to 
atomic formulae. 

1 [8] writes <j>(a f) , but we wish to distinguish the meta- notation for free variables from 
the object-level syntax for atomic formulae and the meta-notation for assigning 
values to variables. 
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In the independent quantifiers the intention is that W is the set of indepen- 
dent variables, whose values the player is not allowed to know at this choice point: 
the Henkin quantifier can be written as Vx/0. 3y/0. \/u/{x, y}. 3v/{x, y}. 
If one then plays the usual model-checking game with this additional condition, 
which can be formalized by requiring strategies to be uniform in the ‘unknown’ 
variables, one gets a game semantics which characterizes the Skolem function 
semantics in the sense that Eloise has a winning strategy iff the formula is 
true. However, these games are not determined, so it is not true that Abelard 
has a winning strategy iff the formula is untrue. For example, .x = y (or 
\/x.3 y/{x}.x = y) is untrue in any structure with more than one element, but 
Abelard has no winning strategy. 

The trump semantics of Hodges [8], with variants by others, gives a Tarski- 
style semantics for this logic, equivalent to the imperfect information game se- 
mantics given by Hintikka and Sandu. The semantics is as follows: 

Definition 3. Let a structure A be given, with constants, propositions and rela- 
tions interpreted in the usual way. A deal a for <j>\x\ or t \x\ is an assignment of 
an element of A to each variable in x. Given a deal a for a tuple of terms t[x\, 
let t (a) denote the tuple of elements obtained by evaluating the terms under the 
deal a. 

If <p[x\ is a formula and W is a subset of the variables in x, two deals a and 
b for (j> are ~^v-equi valent (a h) iff they agree on the variables not in W. A 
~vv-set is a non-empty set of pairwise -equivalent deals. 

The interpretation [0] of a formula is a pair (T, C) where T is the set of 
trumps, and C is the set of cotrumps. 

— If (R(t))[x\ is atomic, then a non-empty set D of deals is a trump ifft(a) € R 
for every a € D; D is a cotrump iff it is non-empty and t(a) £ R for every 
a € D. 

— D is a trump for A ip)[x\ iff D is a trump for <f>[x\ and D is a trump for 
ip[x\; D is a cotrump iff there are cotrumps E,F for <p,ip such that every 
deal in D is an element of either E or F. 

— D is a trump for V ip)[x\ iff it is non-empty and there are trumps E of 
4> and F of if such that every deal in D belongs either to E or F; D is a 
cotrump iff it is a cotrump for both </> and ip. 

— D is a trump for (ffy/W. ip)[x\ iff the set {ab | a € D,b £ A} is a trump for 
if [x, y\. D is a cotrump iff it is non- empty and there is a cotrump E for ip [x, y\ 
such that for every ~ w -set F C D there is a b such that {ab \ a £ F} C E. 

— D is a trump for (3y/W. ip)[x\ trump iff there is a trump E for ip[x, y] such 
that for every c±\y-set. F C D there is a b such that {ab\a€F}CE;D is 
a cotrump iff the set { ab \ a £ D , b £ A} is a cotrump for ip[x, y\ . 

— D is a trump for ~</> iff D is a cotrump for D is a cotrump for ~</> iff it 
is a trump for <p. 

— D is a trump (cotrump) forf <p iff D is a non-empty set of members (non- 
members) of trumps ofcp. 
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A sentence is true in the usual sense if {()} £ T (the empty deal is a trump 
set), and false in the usual sense if {()} £ C; this corresponds to Eloise or 
Abelard having a uniform winning strategy. Otherwise, it is undetermined. 

Note that the game negation ~ provides the usual de Morgan dualities. 

A trump for <f> is essentially a set of winning positions for the model-checking 
game for <p, for a given uniform strategy, that is, a strategy where choices are 
uniform in the ‘hidden’ variables. The most intricate part of the above definition 
is the clause for 3y/W. if: it says that a trump for 3 y/W.ip is got by adding a 
witness for y, uniform in the W-variables, to trumps for ip. 

It is easy to see that any subset of a trump is a trump. In the case of an 
ordinary first-order <p(x), the set of trumps of <p is just the power set of the 
set of tuples satisfying <p. To see how a more complex set of trumps emerges, 
consider the following formula, which has x free: 3 y/{x}.x = y. Any singleton 
set of deals is a trump, but no other set of deals is a trump. Thus we obtain that 
Vx. 3 y/{x}. x = y has no trumps (unless the domain has only one element). 

The following definition is for later convenience: a set T of sets of deals is 
well-dealt if for every D £ T, D is non-empty and D' £ T for every non-empty 
D' C D. A formula has well-dealt semantics (T, C ) if T and C are well-dealt; the 
above semantics ensures that all IF-FOL formulae have well-dealt semantics. 

[8] shows that every well-dealt set is the semantics of some IF formula (given 
suitable atomic relations), giving us 

Proposition 4. On a structure A with n elements, IF formulae of length m 
require space exponential in n m to represent their semantics. 

Proof. The set of tuples for m free variables has n m elements; Given a k element 
set, there are 2 k subsets, but not all sets of subsets are well-dealt; however, there 
are about 2 k /\[k sets of size /c/2, and hence at least 2 2 well-dealt sets of 
subsets. (Cameron and Hodges [4] look in more detail at the combinatorics of 
trumps.) □ 

We can record the easy loose upper bounds on the time complexity of IF-FOL 
operations: 

Proposition 5. In a structure A of size n, the trump components of the IF op- 
erators can be calculated in the following times on formulae with m free variables, 
where k = n m : V and A in 2 k+1 ■ k 2 ; Vx in 2 k ■ k 3 n; 3 x/W in 2 k+kl & n . 

Proof. A crude analysis of the cost of computing the trump semantics more or 
less directly from the definitions. Note that the computation for 3 has further 
exponential factors above the 2 k from the number of possible trumps, effectively 
due to the computation of choice functions. □ 

In the case of IF, these exponential upper bounds are much worse than is 
really required for determining whether a deal satisfies (i.e. is a singleton trump 
for) an IF formula, since IF expressible properties are in NP (because we can 
guess values for choice functions). 




76 



Julian C. Bradfield 



3 Adding Fixpoint Operators 

The prime motivation for considering fixpoint extensions is in the modal setting, 
where it is a standard way to produce temporal logics from modal logics. How- 
ever, fixpoint extensions to IF logics raise a number of issues, and it is useful to 
recall briefly the first-order case. 

In the classical settings, fixpoint operators are added to allow sets or relations 
to be inductively defined by formulae: y(x, X).cf>(x, X), where X is a set variable, 
is the least set A such that A = {x \ <f>(x,A) }, and the syntax of formulae is 
extended to allow terms of the form t G X or t G n(x , X) .<j>(x , X) (among set 
theorists) or X(t) and (n(x,X).(/)(x,X))(t) (among finite model theorists). 

In applying this directly to IF-FOL, there is the obvious problem that we 
no longer have a simple notion of an element satisfying a formula, so the usual 
definition no longer type-checks. There are two possible approaches, depending 
on how one views the use of fixpoint terms. If one takes the view that their 
purpose is to define sets, and the logic is a means to this end, then it is natural 
to retain the use of set variables, and work out how to make <j)(x,X) reduce 
to a boolean. On the other hand, if one views fixpoint operators as a means 
of introducing recursion into the logical formulae, it is more natural to decide 
that fixpoint terms should have the same semantics as other formulae, namely 
sets of trumps, and that therefore the variables X range over trump sets rather 
than sets. We then have to decide the meaning of X(t). This is the approach we 
suggested in [2], and will now pursue. 

Definition 6. IF-LFP extends the syntax of IF-FOL as follows: 

— There is a set Var = {X, Y, . . .} of fixpoint variables. Each variable X has 
an arity (ari(A), a^pQ); ari(X) is the arity of the fixpoint, and ax 2 (X) is 
the number of free parameters of the fixpoint. 

— If X is a fixpoint variable, and t an ar± (X)-vector of terms then X(t) is a 
formula. 

— The notation <f>{X ) indicates that X is among the free fixpoint variables of 
4>. If (j>{X)[x,z\ is a formula with aii(X) free individual variables x and 
ai 2 {.X) free individual variables z, and t is a sequence of sx\{X) terms with 
free variables y, then (y(X,x).<f>)(t)[z,y\ is a formula; provided that is 
IF-FOL+. 

— similarly for v(X, x).<j>. 

The process of extending the trump semantics to fixpoint formulae is not 
entirely straightforward. First we define valuations for free fixpoint variables. 

Definition 7. A fixpoint valuation 'Y maps each fixpoint variable X to a pair 

(r T (x),r c (x)) € (p( P (^ ri w+ ar2 A)))) 2 . 

Let. D be a non-empty set of deals for X(t)[x, z, y\, where y are the free 
variables oft not already among x,z. A deal d = deb G D, where a,c,b are 
the deals for x,z,y respectively, determines a deal d' = t(d)c for X[x,z\. Let 
D' = {d r | d £ D}. D is a trump for X(t) iff D' G V r(X); it is a cotrump iff 

D' G y c x. 
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Then we define a suitable complete partial order on denotations: 

Definition 8. If (: T\,C \ ) and (' 12,(72 ) are elements of (p(p(A n ))) 2 , define 
(TuCi) A (T 2 , C 2 ) ifJT x C T 2 and C 1 0C 2 . 

Lemma 9. If <f>{X)[x, z\ is an IF-FOL + formula and 'f is a fixpoint valuation, 
the map on (p(p(A aT A x )+ al 2 (. x )jj 2 given by 

(T, C) [ <j>\y \x—(t,c)\ 

is monotone with respect to A; hence it has least and greatest fixpoints, with 
ordinal approximants defined in the usual way. 

Definition 10. [ fi(X,x).<j>(X)[x, z\J is the least fixpoint of the map just defined; 
\v{X,x).(f{x)[x,z\\ is the greatest fixpoint. pfi(X, x).(j) means the (jth approxi- 
mant of /x(A, x). 

The following lemma records the usual basic properties (which have to be 
checked again in this setting), and one new basic property, particular to the IF 
case. 

Lemma 11. 1. The trump and cotrump components of [p(X, x).<j>\ are well- 

dealt. 

2. If Y is free in <j), then |/i(X, x).(f\ is monotone in Y; hence the definition 
extends to further fixpoints in the usual way, as does this lemma. 

3. /i and v are dual: T is a trump for p(X, x).(f>(X) iff it is a cotrump for 
^(X, a:).~</>(~X) (with the outer negation pushed in by duality). 

Proof. (1) by induction on approximants; (2) as usual; (3) from definitions. 

A distinctive feature of the definition, compared to the normal LFP defini- 
tion, is the way that free variables are explicitly mentioned. Normally, one can 
fix values for the free variables, and then compute the fixpoint, but because of 
independent quantification this is not possible in the IF setting. For example, 
consider the formula fragment 

Vz. ... p{X, x)....y 3 y/{z}.X(y) 

The independent choice of y means that the trumps for the fixpoint depend on 
the possible deals for 2 , not just a single deal. 

Another point is that the trump set of a least fixpoint is the union of the 
trump sets of its approximants; but the interpretation of logical disjunction is 
not union of trump sets, but union of trumps (applied pointwise to the trump 
sets). Thus the usual view of a least fixpoint as a traiisfinite disjunction is not 
valid in general. The following explains why, despite this, the IF-LFP semantics 
is consistent with classical LFP semantics. 

Proposition 12. Call a set T of trumps or cotrumps full iff it is the set of non- 
empty subsets of{jT. Call a formula <f> of IF-LFP classical iff it is in IF-FOIA 
and it contains no independent quantification (i.e. all quantifiers are 3x/0 and 
\/x/0). Then 
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1. if </> is fixpoint free, then [</>]if = ( T,C ) is full, (JT = |0]fo> and (J C = 

[“'</'] fo ; 

2. if is a (transfinite) sequence of full well-dealt deal sets, then (J - Tf and 

are full well-dealt sets; 

3. hence (1) is true for any classical IF-LFP formula. 

4 Examples of IF-LFP 

IF logic is not entirely easy to understand and mu-calculi are also tradition- 
ally hard to understand, so we now consider some examples that demonstrate 
interesting features of the combination. For convenience, we introduce the ab- 
brevation <f> => if for if V ~(/> provided that <j> is atomic. 

Let G = (V, E) be a directed graph. The usual LFP formula R(y, z) = f 
{p{X,x).z = x V 3 w.E(x,w) A X(w))(y) asserts that the vertex z is reachable 
from y. Hence the formula \/y. Vz. R{y, z) asserts that G is strongly connected. 
Now consider the IF-LFP formula 

My. Vz. {n(X, x).z = x V 3 w/{y, z}. E{x, w) A X(w))(y). 

At first sight, one might think this asserts not only that every z is reachable from 
every y, but that the path taken is independent of the choice of y and z. This 
is true exactly if G has a directed Hamiltonian cycle, a much harder property 
than being strongly connected. 

Of course, the formula does not mean this, because the variable w is fresh 
each time the fixpoint is unfolded. In the trump semantics, the denotation of the 
fixpoint will include all the possible choice functions at each step, and hence all 
possible combinations of choice functions. Thus the formula reduces to strong 
connectivity. 

It may be useful to look at the approximants of this formula in a little more 
detail, to get some intuitions about the trump semantics. Considering just 

F[ = (p(X,x).z = xV 3w/{y,z}. E(x,w) A X(w))[x,y,z], 

we see that in computing each approximant, the calculation of [3 w/{y,zj. . . .] 
involves generating a trump for every possible value of a choice function /: x H> 
w. This is a feature of the original trump semantics, and can be understood 
by viewing it as a second-order semantics: just as the compositional Tarskian 
semantics of 3x. 4>(x) involves computing all the witnesses for 4>(x), so computing 
the trumps of 3 x/{y}. (j) involves computing all the Skolem functions; and unlike 
the first-order case, it is necessary to work with functions (as IF can express 
existential second-order logic). Consequently, the nth approximant includes all 
states such that x —> fi(x) —> f 2 fi(x) f n .. . fi{x) = z for any sequence 

of successor-choosing functions /,;. Thus we see that the cumulative effect is the 
same as for a normal 3u>, and the independent choice has indeed not bought us 
anything. 
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It is, however, possible 2 to produce a slightly more involved formula express- 
ing the Hamiltonian cycle property in this inductively defined way, by using the 
standard trick for expressing functions in Henkin quantifier logics. We replace 
the formula H by 

\/s.3t/{y,z}.E(s,t) 

A n(X, x).x = z V Vu. 3v/{x, z, s,t}. (s = u => t = v) A (x = u => X(v)). 

This works because the actual function / selecting a successor for every node is 
made outside the fixpoint by Vs. 3t/{y, z}. E(s, t) A . . .; then inside the fixpoint, 
a new choice function g is made so that X{g(x)), and g is constrained to be the 
same as / by the clause (s = u => t = v). (The reader who is not familiar with 
the IF /Henkin to existential second-order translation might wish to ponder why 
Vs. 3t/{y, z }. E(s, t ) A y(X, x) .x = z V (x = s =>■ X(t)) does not work.) 

5 Complexity and Expressive Power of IF-LFP 

The above examples have shown IF-LFP being used to express relatively simple 
NP properties. Since, as remarked, it is well known that Henkin quantifiers and 
IF logic express just the NP properties, and since it is also known [6] that LFP 
plus Henkin quantifiers express P NP , one might imagine that IF-LFP (which is 
not closed under classical negation) also expresses only NP properties, or at worst 
some subset of P NP . This is not the case; adding fixpoints to the IF formulation 
gives a more significant increase in expressive power. 

Firstly, we note that the approximant semantics of fixpoints gives the usual 
behaviour in simple upper bounds: 

Proposition 13. If (j>{X)[ x, z i, . . . , z m ] is an IF-FOL + formula, then in a struc- 
ture of size n, the approximants of y(X, x).(j> close after at most 2 n steps. Hence 
in an IF-LFP formula with d alternating fixpoints and m variables, 2 dn evalu- 
ations of IF formulae are required. If the formula size is l, this gives a total cost 
0 j 2 d n m . i . 2 ra ” 1 (i+ 1 s n ) = i . 2 n " t ( 1 + d + 1 s n ) 

Observe, however, that the contribution from fixpoint alternation is small com- 
pared to the cost of computing independent existential quantifiers. 

Despite the relative weakness of adding fixpoints, they do in some sense 
release the power of independent quantification. This is shown by the following 
theorem. 

Theorem 14. There is an IF-LFP sentence (with one least fixpoint) which is 
EXPTIME-hard to evaluate. 

2 Since IF logic is equi-expressive with Henkin quantified logic, it is also equi-expressive 
with existential second-order logic, and so can express ‘Hamiltonian cycle’ without 
using fixpoints. Thus we are not, in this example, adding technical expressive power. 
However, the pure IF definition is quite complex, as it involves defining a binary 
relation coded via functions; so we are adding expressive convenience. 
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Proof. We give a reduction from the EXPTIME-complete problem of determin- 
ing whether Player 1 has a winning strategy for the game of generalized chess. 

A structure for a generalized chess game between 1 and 2 of order n comprises 
a board R with n 2 (or any other fixed polynomial) squares r and a set P of n 
(or any other fixed polynomial) pieces p. A position of the game is a function 
7r: P — > R. There may be some relations on P and R in the signature. The game 
is defined by three first-order formulae with parameter n: a formula </>/( w) true 
only of the initial position, a formula (fw{ 7r ) which is true if player 1 has won 
at 7 r, and a formula </>m(tt, A P- r ) which is true if moving piece p to square r is a 
legal move for player i from position 7r. (Without loss of generality, we assume 
that a move consists of moving exactly one piece.) 

Given a position n and a move p, r, the ‘next position’ formula N (tt') is 
defined to be Vp'. (p' = p A n'(j>) = r) V 7r '(p') = 7r(p'). 

The set X of winning positions (i.e. from which 1 can force a win) for 1 can 
then be inductively defined by the type 3 functional 

F(X,ir) <P A = (j) W { 7r)V ((Vp,r. </> M (ir, 2,p,r) => 3n'.N(ir') A X(n')) 

A (3 p, r. 4 > m { tt, 1 ,P, r) A 37t'. N(n') A A(7r'))). 

We now show how to express this inductive definition in IF-LFP. Part of the 
coding is the well-known expression of existential second-order logic in IF or 
Henkin logic, which we have already seen in the Hamiltonian cycle example. The 
general technique is thus: assume given an ESO formula 3/. if. Let Qi(/(ti)), . . . , 
Qn(f( T n )) be the instances in if of applications of / occurring in atoms Qi. Then 
the translation is 

Mx. 3y.\/x 1 .3y 1 /{x}. . . .Mx n .3y n /{x,xi, . . . ,x n -i}. A t {xi = x => y* = y) A if, 

where if is obtained from if by replacing Qi(/j(' r i)) with Xi = Ti => Qi(yi). 

The second part is passing a function through a fixpoint. This is fairly simple 
to do: one just passes the domain and codomain as normal parameters, and relies 
on the quantification outside forcing them to represent a function. In this case, 
the classical type 2 relation X(i r) is replaced by a binary IF type 1 relation 
Y(s,t), so that the classical 37 t. (p,X.<P)(n) becomes Vx.3y. (pY.f>)(x,y), where 
$> is obtained from by applying the ESO-IF translation using s, t for 7r and 
replacing Xfn’) with Y{p",r"), where p" ,r" are the variables bound by the 
translation Vp". 3?’"/ .... of 37 t'. 

One then shows by an inductive argument on ( that 37 t. (/A X.<F)(jt) holds iff 
Vx. 3 y. {pfY.<P){x,y) holds. Finally, if we wish to determine whether the initial 
position is winning for 1, we evaluate 3-7T. 4>i(tt) A (pX.fR)^) 

(We should note that we have extended the IF abbrevation <p =$■ if to the case 
where cf is classical, not just atomic. This is acceptable because game negation 
coincides with classical negation for classical formula.) □ 

The above argument was applied to the case of finite structures, but there is 
nothing in it that depends on finiteness. We can therefore obtain the following 
theorem, which refutes our conjecture in [2] that a fixpoint extension of IF would 
be within A\. 
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Theorem 15. Let F{X, a) be a positive S\ type 3 functional in the language 
of arithmetic. Then a set of integers definable from the set of reals inductively 
defined by F can be expressed in IF-LFP. It follows that that IF-LFP ( even with 
just one fixpoint) over the natural numbers can express properties. 

Proof. F is defined by a E\ formula <p{X, a). Use the technique of the previous 
proof to express 3a. {p,X.(p){a)A if (a, n), where ip is first-order. Cenzer [5] showed 
that any E\ set of reals is the closure of a S\ positive inductive definition over 
the reals. Since if a is a X\ real, the set {a} is also X\, we also have the stated 
consequence. □ 

Cenzer’s results also allow us to obtain an improvement (for those who don’t 
believe CH) on the closure ordinal for a single IF fixpoint over u>. The usual 
cardinality argument for fixpoints tells us merely that an IF fixpoint over ui 
must close by 2 N °. The improvement is 

Theorem 16. If (p{X) is an IF-FOL + formula (i.e. with ~ and 4- applied only 
to atoms), then pX.tp has closure ordinal < Hi. 

Proof. Seen as operations on p( 2“), the semantics of the IF boolean operators 
and quantifiers are E\. (This is not immediately apparent from the definitions 
as presented above, but a small amount of rearrangement reveals it.) Cenzer 
showed that the closure ordinal of a E\ monotone inductive definition over the 
reals is < Hi. □ 

It remains to investigate lower bounds on the complexity of multiple IF fixpoints. 
We remark only that the absence of classical negation makes this less easy than 
it otherwise would be. 



6 IF Parity Games 

We briefly recall the game semantics of first-order logic and of IF logic. 

Given a FO formula ip (in positive form) and a structure A, a position is a 
subformula <p{x) of i p together with a deal for <p, that is, an assignment of values 
v to its free variables x. At a position (Vx. <pi,v), Abelard chooses a value v for 
x, and play moves to the position {(pi, v ■ v); similarly Eloise moves at 3x. (p . At 
{(pi A(p 2 ,v), Abelard chooses a conjunct (pi, and play moves to (cpi(x') , v') , where 
x’ , t? are x,v restricted to the free variables of (pp. and at {(pi V (p 2 ,v), Eloise 
similarly chooses a disjunct. A play of the game terminates at (negated) atoms 
{P{x),v) (resp. {-iP{x),v)), and is won by Eloise (resp. Abelard) iff P{v) is true. 
Then it is standard that M \= <p exactly if Eloise has a winning strategy in this 
game, where a strategy is a function from sequences of legal positions to moves. 

These games have perfect information ; both players know everything that 
has happened, and in particular when one player makes a choice, they know the 
other player’s previous choices. Game semantics for IF logic [7] use games of 
imperfect information: at the position 3x/W.(p, when Eloise chooses a value v 
for x, she does not know what Abelard chose for the values of the independent 
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variables W. A uniform Eloise strategy for the game is one in which her choice 
of v is indeed uniform in the values of W, and we say a formula is true if Eloise 
has a uniform winning strategy. 

Now recall that in a parity game the positions are assigned ranks 0, . . . , r, 
and if a run of the game is infinite, Eloise wins if the highest rank appearing 
infinitely often is even. The model-checking game for FOL extends to a model- 
checking game for LFP by assigning even ranks to maximal fixpoints and odd 
to minimal, such that the rank of an inner fixpoint is less than the rank of its 
enclosing fixpoints. Then the formula is true iff Eloise has a winning strategy for 
the defined parity game. 

Combining these two concepts, a general parity game of imperfect informa- 
tion is given by a usual parity game together with imperfect information require- 
ments at each position, requiring a player to move uniformly in some part of the 
game history. The winning runs are those given by the usual parity winning con- 
ditions; a player wins the game if she has winning strategy for the parity game 
that is uniform as required by the imperfect information requirements. 

In general, infinite imperfect information games are undecidable even on finite 
structures, since they require players to keep arbitrary knowledge (and lack of 
knowledge) of the history of the game. To obtain a class of decidable imperfect 
parity games, we will first give a parity game semantics for IF-LFP, and then 
define a class of imperfect parity games characterized by IF-LFP. 

Definition 17. The model- checking game for an IF-LFP formula is defined by 
adding the following clauses to the Hintikka-Sandu game for IF. The moves are 
extended by the usual fixpoint unfolding rule: at a position ((p(X,x).(f>)(t),u), 
play moves to ( </>,uv ), where v is the value oft; at a position (X(t),uvw), where 
u is the deal for the free variables of X, v for x, and w for the variables bound 
inside <f>, play moves to (<j),uv') where v' is the value oft. Parities are assigned 
to positions in the usual way, and the usual infinite parity winning condition is 
added. 

The independence requirements are that at a quantifier 3x /W. (and dually), 
Eloise must choose x without knowing the values of the W variables and without 
knowing the values of any variables bound in some currently enclosing fixpoint 
but chosen before the most recent unfolding of that fixpoint. (In other words, 
she does not remember choices that have gone out of scope and have no value in 
the current deal.) 

Correspondingly, a uniform strategy in the parity game is a strategy where 
the choice function is uniform in the independent variables and the out-of-scope 
variables. 



Theorem 18. If f) is an IF-LFP sentence, then Eloise has a uniform winning 
strategy for the mo del- checking game if and only if {()} is a trump for </>. More- 
over, the strategy can be history-free. 

Proof. (Sketch) The argument relating parity conditions to alternating fixpoints 
applies to any set of monotone operators with fixpoints added, not just to FOL 
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or modal logic. Thus by combining the usual proof of equivalence of parity games 
and fixpoints with the proof of equivalence of IF games and trump semantics, 
we get the result. 

History-freeness follows from the inductive construction of the set of winning 
positions, but is intuitively obvious, as all the information a player is supposed 
to be able to remember is included in the game position. 

This game account of the IF-LFP semantics brings out the key factor, which 
may have been less obvious in the trump semantics, that keeps model-checking 
decidable. This is that passing through a fixpoint variable throws away all in- 
formation about choices made within the body of the fixpoint, unless they are 
explicitly passed as parameters. Of course, this is also true in usual LFP, but in 
the IF case knowledge of previous choices is explicitly part of the semantics. 

This suggests the following definition: 

Definition 19. An imperfect information parity game on a structure A is finite- 
memory if each player is equipped with a finite memory in which they can remem- 
ber previous moves. A player’s choice at a move is required to depend only on 
the current position and memory, with additional imperfect information require- 
ments imposed by the game on the memory (i.e. a player may have to temporarily 
forget things). 

A player wins the game if they have a uniform history-free winning strategy. 
The expected theorem is 

Theorem 20. Given a finite-memory imperfect parity game on A, the state- 
ment ‘Eloise wins the game ’ is expressible by an IF-LFP formula whose fixpoint 
alternation depth is the parity rank of the game. 

Proof. (Sketch) The finite memory is modelled by parameters of fixpoints. We 
will use fixpoints X which carry one parameter p for the position in the game, and 
parameters m.; for the memory ‘cells’. The inner loop of an inductive definition 
of winning positions is the usual expression of ‘it is Eloise’s move and there 
exists a move such that the next position is in X, or it is Abelard’s move and 
all next moves are in X\ as in the formula we used early for generalized chess. 
The quantifiers are made explicitly independent of the memory items required 
to be unknown (which may require a case analysis of the moves of the game) . 

To deal with the parities, we use the first-order version of the usual ‘parity 
game formula’ from parity automata and modal mu-calculus (see [1] for a detailed 
explanation of the parity game formula): for each rank j = 0 , ... ,r, there is a 
fixpoint variable Xj. Then the inner loop is enclosed by vX$.nX\. . . . p/u.X r ., 
and the formula X(p, to), where p and to are the position and memory after the 
next move, is conjoined with 

Ao<j<r( R j ^ Xj(p,m)) 

where Rj is the formula expressing that the next position has rank j. 

The usual proof now applies to give the result. □ 
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Corollary 21. Finite-memory imperfect parity games on finite structures are 
decidable 3 . 

7 Application to IF Modal Mu-Calculus 

Our original motivation for looking at fixpoint extensions of IF logic was the 
desire to combine two threads of work. Firstly, modal mu-calculus is a well stud- 
ied and widely used temporal logic. Secondly, we have argued in [2] and [3] that 
modal versions of Henkin quantifiers and independence logics provide a natural 
expression of some properties of concurrent systems. Given a concurrent modal 
logic, it is natural to extend it to a concurrent temporal logic by adding fixpoint 
operators. In [2] we looked at modal analogues of Henkin quantifiers acting on 
systems composed of several concurrent components; since a single Henkin quan- 
tifier gives an operator on the powerset of states, there was no difficulty in adding 
such modalities to mu-calculus. In [3], we designed a modal analogue of IF logic, 
defined on certain structures appropriate for true concurrency. The full defini- 
tion of the structures and the logic is, for a number of technical reasons, rather 
long and complex. We refer the reader to [3] for details, and here just give the 
idea. 

IFML extends the syntax of usual modal logic as follows. Instead of the simple 
‘next step’ modality (a)<£, each modality carries a tag a, and may be declared to 
be independent of previous tags j3 by the Hintikka slash, giving a syntax ( a) a /p<I > . 
The intended interpretation is that the choice of a action must be independent of 
the action chosen in the modality tagged by f}\ for this to make sense, the action 
at (3 should be concurrent (in the technical sense of event structures etc.) with 
the action at a. The semantics is given in terms of runs (sequences of states) of 
the system, directly via an imperfect information model-checking game. 

As we have not the space to import the full definition of IFML here, we shall 
not give detailed propositions in this section, but remarks that can be refined 
into theorems with the material in [3]. 

Remark 22. The game semantics of IFML given in [3] can be equivalently 
expressed by translating to IF as a meta-language (modulo the introduction of 
some fairly messy defined functions and relations on runs of the system) such 
that the main variable holding the state ranges over runs (as in the game), 
and auxiliary variables range over actions. Consequently, IFML has a trump 
semantics. The evaluation of a formula on a finite system is decidable, since the 
maximum length of runs that must be considered is bounded by the modal depth 
of the formula. 

Remark 23. We can define an IF modal mu-calculus by adding fixpoint for- 
mulae of the form p,{X 1 'x).d> and X(a), where the fixpoint variable X has not 
only an implicit parameter for the current ‘state’, but also explicit parameters 
X for tags to be passed through the fixpoint. 

3 This result is probably long known in some form, but I do not know the reference. 
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This can be given a semantics via IF-LFP. However, since a ‘state’ in the 
semantics is a run, not a system state, it is not obvious that decidability of 
model-checking is maintained for IF mu-calculus. (We conjecture that it is, but 
some results from concurrency theory, such as the undecidability of hereditary 
history-preserving bisimulation, give some cause for doubt.) 

The IF modal mu-calculus has a model-checking game that is an IF version 
of the usual parity games for modal logic, as done above for IF-LFP. 

8 Conclusion 

We have defined a suitable fixpoint extension of independence-friendly logic, 
and established some results. We have related it to parity games of imperfect 
information, and we have shown how it may be applied to the construction of 
independence- friendly modal mu-calculi. 

For IF-LFP itself, there are still many questions remaining. Chief among 
these are better upper and lower bounds on the complexity of model-checking 
(in the finite case) and descriptive complexity (in the infinite case). We have 
shown that IF-LFP is more complex than we surmised in earlier work, and it is 
not unlikely that it will turn out to be much more complex. 
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Abstract. System SKS is a set of rules for classical propositional logic 
presented in the calculus of structures. Like sequent systems and unlike 
natural deduction systems, it has an explicit cut rule, which is admissi- 
ble. In contrast to sequent systems, the cut rule can easily be reduced 
to atomic form. This allows for a very simple cut elimination procedure 
based on plugging in parts of a proof, like normalisation in natural deduc- 
tion and unlike cut elimination in the sequent calculus. It should thus be 
a good common starting point for investigations into both proof search 
as computation and proof normalisation as computation. 

Keywords: sequent calculus, natural deduction, cut elimination, classical 
logic, atomic cut. 



1 Introduction 

The two well-known connections between proof theory and language design, proof 
search as computation and proof normalisation as computation , have mainly used 
different proof-theoretic formalisms. While designers of functional programming 
languages prefer natural deduction, because of the close correspondence between 
proof normalisation and reduction in related term calculi [4,8], designers of logic 
programming languages prefer the sequent calculus [7], because infinite choice 
and much of the unwanted non-determinism is limited to the cut rule, which can 
be eliminated. 

System SKS [2] is a set of inference rules for classical propositional logic 
presented in a new formalism, the calculus of structures [5]. This system admits 
the good properties usually found in sequent systems: in particular, all rules 
that induce infinite choice in proof search are admissible. Thus, in principle, 
it is as suitable for proof search as systems in the sequent calculus. In this 
paper I will present a cut elimination procedure for SKS that is very similar 
to normalisation in natural deduction. It thus allows us to develop, at least for 
the case of classical logic, both the proof search and the proof normalisation 
paradigm of computation in the same formalism and starting from the same 
system of rules. 

Cut elimination in the sequent calculus and normalisation in natural de- 
duction, widely perceived as ‘morally the same’, differ quite a bit, technically. 
Compared to cut elimination, (weak) normalisation is simpler, involving neither 
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permutation of a multicut rule, nor induction on the cut-rank. The equivalent 
of a cut in natural deduction, for example, 




Ai 

A>E 



r,Ah b 
r\- Adb 

r\- b 




r h a 



is eliminated as follows: first, assumption A and all its copies are removed from 
Ai. Second, the derivation A 2 , with the context strengthened accordingly, is 
plugged into all the leaves of Ai where assumption A was used. 

This method relies on the fact that no rule inside Ai can change the premise 
A, which is why it does not work for the sequent calculus. To eliminate a cut 
in the sequent calculus, one has to cope with the fact that logical rules may be 
applied to both eigenformulas of the cut. This is usually done by permuting up 
the cut rule step-by-step. However, given a cut with an atomic cut formula a 
inside a sequent calculus proof, we can trace the occurrence of a and its copies 
produced by contraction, identify all the leaves where they are used in identity 
axioms, and plug in subproofs in very much the same way as in natural deduction. 
The problem for the sequent calculus is that cuts are not atomic, in general. 

The calculus of structures generalises the one-sided sequent calculus. It has 
led not only to inference systems with interesting new properties for classical 
and linear logic [2,9,10], but also to inference systems for new logics that are 
problematic for the sequent calculus [5,6,3]. 

Derivations in the calculus of structures enjoy a top-down symmetry that is 
not available in the sequent calculus: they are chains of one-premise inference 
rules. ‘Meta-level conjunction’ (the branching of the proof tree) and ‘object- 
level conjunction’ (the connective in a formula) are identified. The two notions 
of formula and sequent are also identified, they merge into the notion of structure, 
which is a formula subject to equivalences that are usually imposed on sequents. 
This simplification makes explicit the duality between the identity axiom and 
the cut rule [5]: 



identity 



S{true} 
S{R\/ R} 



S{R A R} 
cut — — 

S{false} 



The identity rule is read bottom-up as: if inside a structure there occurs a dis- 
junction of a structure R and its negation, then it can be replaced by the constant 
true. The notion of duality between cut and identity is precisely the one that is 
known as contrapositive. 

Just like in the sequent calculus, the identity axiom can easily be reduced to 
atomic form. The symmetry of the calculus of structures allows to reduce the 
cut to atomic form in the same way as the identity axiom, i.e. without having 
to go through cut elimination. Atomicity of the cut then admits a very simple 
cut elimination procedure that is similar to normalisation in natural deduction. 
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Units 



Associativity 

[R, [T]] = [R,T] 
(R, (T)) = (R,T) 

Commutativity 

[■ R,T } = [T,R] 

(■ R,T ) = (T,R) 

Singleton 



[R] =R=(R) 



[f,R] = [R] 
(t, R) = (R) 
[t,t] =t 

(f.f)-f 

Negation 



t = f 
f = t 

[Ri, . . . , Rh] = (Ri, ■ ■ ■ , Rh) 
(Ri, ■ ■ ■ , Rh) = [Ri, ■ • • , Rh] 
R = R 



Fig. 1 . Equations on structures 



After introducing basic notions of the calculus of structures, I show system 
SKS with atomic contraction, weakening, identity and, most significantly, atomic 
cut. Then, after establishing some lemmas, I present the cut elimination proce- 
dure. 



2 The Calculus of Structures 

Definition 1. Propositional variables p and their negations p are atoms, with the 
negation of p defined to be p. Atoms are denoted by a, b, ... . The structures of 
the language KS are generated by 

S ::= t | f | a | [^^S] \ (S^S) | S , 

>o >o 

where t and f are the units true and false, [Si, . . . , Sh] is a disjunction and 
(Si, . . . , Sh) is a conjunction. S is the negation of the structure S. The units 
are not atoms. Structures are denoted by S, R , T, U and V. Structure contexts, 
denoted by S{ }, are structures with one occurrence of { }, the empty context 
or hole, that does not appear in the scope of a negation. S{R} denotes the 
structure obtained by filling the hole in S{ } with R. We drop the curly braces 
when they are redundant: for example, S[R,T ] stands for 5{[i?, T]}. Structures 
are equivalent modulo the smallest congruence relation induced by the equations 
shown in Fig. 1, where R and T are finite, non-empty sequences of structures. 
In general we do not distinguish between equivalent structures. 



Definition 2. An inference rule is a scheme of the kind p 



sm_ 

S{R} 



, where p is the 



name of the rule, S^T} is its premise and *S'{-R} is its conclusion. In an instance 
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of p, the structure taking the place of R is called redex and the structure taking 
the place of T is called contractum. A ( formal ) system Sf is a set of inference 
rules. To clarify the use of the equational theory where it is not obvious, I will 
T 

use the rule = — where R and T are equivalent structures. 



Definition 3. The dual of a rule is obtained by exchanging premise and conclu- 
sion and replacing each connective by its De Morgan dual. 

Definition 4. A derivation A in a certain formal system is a finite chain of in- 
stances of inference rules in the system: 




7T — 



P' 

P 



u 

R 



A derivation can consist of just one structure. The topmost structure in a deriva- 
tion is called the premise of the derivation, and the structure at the bottom is 
called its conclusion. A derivation A whose premise is T, whose conclusion is R, 

T 

and whose inference rules are in S? will be indicated with Alls' . A proof II in 

R 

the calculus of structures is a derivation whose premise is the unit true. It will 

n ^ 

be denoted by II ' .A rule p is derivable for a system S? if for every instance 



T ... T, 

of p — there is a derivation ^ . A rule p is admissible for a system 5? if for 
R R 



every proof 



J.yu{ P } 



S 



there is a proof 



w 



3 System SKS 

System SKS, shown in Fig. 2, has been introduced and shown to be sound and 
complete for classical propositional logic in [2] . The first S stands for “symmetric” 
or “self-dual” , meaning that for each rule, its dual (or contrapositive) is also in 
the system. The K stands for “klassisch” as in Gentzen’s LK and the last S says 
that it is a system on structures. 

The rules ai|, s, m, aw|, acj are called respectively atomic identity , switch , 
medial, atomic weakening and atomic contraction. Their dual rules carry the 
same name prefixed with a “co-”, so e.g. aw| is called atomic co-weakening. The 
rules s and m are their own duals. The rule aij" is special, it is called atomic 
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cut. Rules ai|, aw|, acj are called down-rules and their duals are called up-rules. 
In [2], by a semantic argument, all up-rules were shown to be admissible. By 
removing them we obtain system KS, shown in Fig. 3, which is complete. 

Cut-free sequent systems fulfill the subformula property. Our case is different, 
because the notions of formula and sequent are merged. System KS does not fulfill 
a “substructure property” just as sequent systems do not fulfill a “subsequent 
property”. However, when seen bottom-up, no rule in system KS introduces new 
atoms. It thus satisfies the main aspect of the subformula property: when given 
a conclusion of a rule there is only a finite number of premises to choose from. 
In proof search, for example, the branching of the search tree is finite. 

Identity, cut, weakening and contraction are restricted to atoms in system 
SKS. The general versions of those rules are shown in Fig. 4. 

Theorem 5. The rules ij., wj, and cj, are derivable in {aij.,s}, {awj,,s} and {acj,, 
m}, respectively. Dually, the rules i|, wf and cf are derivable in {ai|,s}, {aw|,s} 
and {acj\m}, respectively. 
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S{t} 

S[R,R] 


S{R,R) 
' T 5{f} 


5{f} 


S{R} 

wT 

S{t} 


S{R} 


S[R,R] 


d S{R} 

C S(R,R) 


S{R} 



Fig. 4. General identity, weakening, contraction and their duals 



Proof. By an easy structural induction on the structure that is cut, weakened 
or contracted. Details are in [2]. The case for the cut is shown here. A cut intro- 
ducing the structure ( R,T ) together with its dual structure [R, T] is replaced 
by two cuts on smaller structures: 

_ S(R,T,[R,T]) 

^ S(R, [R, (T,T)]) 

* S[(R,R),( T,T)) 

S(R,T,[R,T}) '' S{R,R) 

iT iT 

5{f} S{ f} 

□ 

So, while general identity, weakening, contraction and their duals do not 
belong to SKS, they will be freely used in derivations in SKS to denote multiple 
instances of the corresponding rules in SKS according to Theorem 5. 

Remark 6. Sequent calculus derivations easily correspond to derivations in sys- 
tem SKS. For instance, the cut of sequent systems in Gentzen-Schtte form [11]: 

jD 

* [ ®A A , [*, A})} 

S \<P,<P,(A.A) ] 

Cut corresponds to i| 

\-$,V [$,&] 

4 Cut Elimination 



In the calculus of structures, there is more freedom in applying inference rules 
than in the sequent calculus. While this allows for a richer combinatorial analysis 
of proofs, it is a significant challenge for cut elimination. During cut elimination, 
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I 



I 



I 



[R,a] [R,(a,a)] 

a| T t: 




[R,a] 




cj. 



[R,R] 

R 



Fig. 5. Elimination of one atomic cut 



the sequent calculus allows to get into the crucial situation where on one branch 
a logical rule applies to the main connective of the eigenformula and on the 
other branch the corresponding rule applies to the dual connective of the dual 
eigenformula. In the calculus of structures, rules apply deep inside a context, 
they are not restricted to main connectives. The methodology of the sequent 
calculus thus does not apply. For example, one cannot permute the cut over the 
switch rule. One can generalise the cut in order to permute it over switch, but 
this requires a case analysis that is far more complicated than in the sequent 
calculus. Contraction is an even bigger problem. Despite many efforts, no cut 
elimination procedure along these lines has been found for system SKS. 

Two new techniques were developed to eliminate cuts in the calculus of struc- 
tures. The first is called decomposition , and has been used in [6,9] for some 
systems related to linear logic. Proving termination of decomposition is rather 
involved [9] . It makes essential use of the exponentials of linear logic which re- 
strict the use of contraction. So far, this technique could not be used for classical 
logic with its unrestricted contraction. The second technique is called splitting 
[5] , and essentially makes available a situation corresponding to the one described 
above for the sequent calculus. Splitting covers the broadest range of systems in 
the calculus of structures, it not only applies to the systems mentioned above, 
but has recently also been applied to system SKS (but the proof is not published 
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yet). Compared to splitting, the procedure given here is much simpler. In fact, I 
do not know of any other system with such a simple cut elimination procedure. 

In the sequent calculus as well as in sequent-style natural deduction, a deriva- 
tion is a tree. Seen bottom-up, a cut splits the tree into two branches. To apply 
a cut, one is forced to split the context among the two branches (in the case 
of multiplicative context treatment) or to duplicate the context (in the case of 
additive context treatment). In the calculus of structures, the cut rule does not 
split the proof. 

The crucial idea, illustrated in Fig. 5, is that we can do that during cut 
elimination. This allows us to plug-in proofs just like in natural deduction: we 
duplicate the proof above a cut and remove atom a from the copy shown on the 
left and the atom a from the copy shown on the right. We choose one copy, the 
one on the left in this case, and replace a by R throughout the proof, breaking 
some instances of identity. They are fixed by substituting the proof on the right. 
A contraction is applied to obtain a cut-free proof of R. 

In contrast to the sequent calculus, the cut is not the only problematic rule 
in system SKS. The rule aw"f also induces infinite choice in proof-search. Fortu- 
nately, we can not only eliminate the cut rule, but also the other up-rules. Each 
up-rule individually can be shown to be admissible for system KS. However, 
since we are going to eliminate the cut anyway, to eliminate rules aw"f and ac| 
the following lemma is sufficient. 



Lemma 7. Each rule in SKS is derivable for identity, cut, switch and its dual 
rule. 



Proof. An instance of p j" 



S{T} 

S{R} 



same holds for down-rules. 



■| S{T} 

4 S(T, [R,R]) 

s 

can be replaced by S[R, (T, i?)] 

P \ S[R, (T,T)] 

S{R} 



. The 



□ 



When plugging in a derivation in natural deduction, its context has to be 
strengthened, to fit into the leaf into which it is plugged. Adding to a context 
in natural deduction is easy, since it is a flat object, a set or a multiset. In the 
calculus of structures, contexts are more general, nested objects. The following 
definition is used to strengthen contexts. 

Definition 8. Given a derivation A, the derivation 5{ A} is obtained as follows: 



T 


,S{T} 


V~ 


71 sm 


— 


7 r 




5{Z\} = : 


iT 


p' 

S{U} 


R 


P S{R} 
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Definition 9. An instance of atomic cut is called shallow if it is of the following 
form: 

.+ [-S', (a, a)] 

ai| 

S 

Lemma 10. The atomic cut is derivable for shallow atomic cut and switch. 

Proof. An easy induction locally replaces an instance of atomic cut by a shallow 
atomic cut followed by instances of switch. Details are in [1], □ 



Lemma 11. Each proof 



|ks 
T{ a} 



can be transformed into a proof 



I KS 

T{t) 



Proof. Starting with the conclusion, going up in the proof, in each structure we 
replace the occurrence of a and its copies, that are produced by contractions, 
by the unit t. Replacements inside the context of any rule instance do not affect 
the validity of this rule instance. Instances of the rules m and s remain valid, 
also in the case that atom occurrences are replaced inside redex and contractum. 
Instances of the other rules are replaced by the following derivations: 



S[a,a] 


-S'tt, t] 


5{a} 


"VA = 

5{t} 


S{f} 

1 

S{a} 


_S([t,t],f) 

S S[t,(t,f)] 


"vA = 

SW 


S{t} 


S{t} 

s[t,f] 

^ aw i cr+ -i 
b [t, a\ 


S[a, a] 



Properly equipped, we now turn to cut elimination. 

f SKS KS 

can be transformed into a proof || 

T T 

Proof. By Lemma 7, the only rule left to eliminate is the cut. By Lemma 10, we 
replace all cuts by shallow cuts. The topmost instance of cut, together with the 
proof above it, is singled out: 



KSU {ait} 
T 



n 



KS 



[R, (a, a)] 

31 T 



R 



KSU {aif} 



T 



Atomic Cut Elimination for Classical Logic 



95 



Lemma 11 is applied twice on 77 to obtain 



n 
[ 7? , a 



ks , n 2 
and 



KS 



Starting with the conclusion, going up in proof 77i, in each structure we 
replace the occurrence of a and its copies, that are produced by contractions, by 
the structure 77. 

Replacements inside the context of any rule instance do not affect the validity 
of this rule instance. Instances of the rules m and s remain valid, also in the case 
that atom occurrences are replaced inside redex and contractum. Instances of 
acj, and awj, are replaced by their general versions: 



ac| 



S[a , a] 

5{a} 



4 



S[R,R] 

S{R} 



aw | 



sm 

S'{a} 






wj 



sin 

S{R} 



Instances of ai| are replaced by < S'{77 2 }: 



5{t} 



.. ^{t} 

ail 



S[a, a] 



^ S{n 2 } 



KS 



S[R, a] 



The result of this process of substituting II 2 into 77 1 is a proof II 3 , from 
which we build 



n 3 



KS 



4 



[77,77] 



7? 



KSU {ai|} 



T 



Proceed inductively downward with the remaining instances of cut. 



5 Conclusion 

System SKS seems a good starting point for developing both the proof search 
as well as the proof normalisation paradigm in one system. Since all up-rules 
are admissible, it is suitable for proof search as computation. The cut elimi- 
nation procedure given is simpler than those for sequent calculi. The way in 
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which proofs are substituted resembles normalisation in natural deduction. This 
hopefully allows for a computational interpretation in the proof normalisation 
as computation paradigm. 

Of course, a lot of work remains to done. In the proof search as computation 
realm, given the admissibility of cut, a suitable notion of uniform proof as in [7] 
should be obtainable. For proof normalisation as computation, natural questions 
to be considered are strong normalisation and confluence of the cut elimination 
procedure when imposing as little strategy as possible. Similarly to [8], a term 
calculus should be developed and its computational meaning be made precise. 
Intuitionistic logic is a more familiar setting for this, so the possibility of treating 
intuitionistic logic should be explored. 

A natural question is whether this procedure scales to more expressive cases, 
for example to predicate logic. System SKSq extends system SKS by first-order 
quantifiers [1]. There, cut elimination is proved via a translation to the sequent 
calculus. The procedure presented here does not appear to easily scale to sys- 
tem SKSq. The problem, which does not occur in shallow inference systems like 
sequent calculus or natural deduction, are existential quantifiers in the context 
of a cut which bind variables both in a and a. The procedure easily extends to 
closed atomic cuts, that is, cuts where the eigenformula is an atom prefixed by 
quantifiers that bind all its variables. The question then is how to reduce general 
cuts to closed atomic cuts. If this problem were solved, then the procedure would 
scale to predicate logic. Hopefully this will lead to a cut elimination procedure 
for predicate logic, which is simpler than other cut elimination procedures, as 
happened for propositional logic. 
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“Computational mathematics” (algorithmic mathematics) is the part of mathe- 
matics that strives at the solution of mathematical problems by algorithms. In 
a superficial view, some people might believe that computational mathematics 
is the easy part of mathematics in which trivial mathematics is made useful 
by repeating trivial steps sufficiently many times on current powerful machines 
in order to achieve marginally interesting results. The opposite is true: Many 
times, computational mathematics needs and stimulates deeper mathematics, 
i.e. deeper mathematical theorems with more difficult proofs than “pure” math- 
ematics. This is so because, in order to establish an algorithmic method for a 
given mathematical problem, i.e. in order to reduce the solution of a given prob- 
lem to the few operations that can be executed on machines, deeper insight on 
the given problem domain is necessary than the insight necessary for establishing 
the reduction of the given problem to powerful nonalgorithmic abstract mathe- 
matical operations as, for example, choice functions and the basic quantifiers of 
set theory. 

Computational mathematics comes in two flavors: “numerical mathematics”, 
in which the original problems are replaced by approximate versions and one is 
satisfied with approximate solutions to the approximate problems, and “exact al- 
gorithmic mathematics” in which the original problems are solved by algorithms 
in the original domains or isomorphic representations of these domains. Exact 
algorithmic mathematics can be divided into “discrete mathematics”, in which 
the objects in the underlying mathematical domains are finitary, and “computer 
algebra” , in which the objects in the underlying mathematical domains accord- 
ing to their original defintion are infinite and the possibility of an isomorphic 
finitary representation in itself is a non-trivial mathematical question. 

For many mathematical problems it can be mathematically proved that exact 
algorithmic solutions are not possible or are possible only by algorithms with a 
certain complexity. Even in these cases, algorithmic mathematics can and should 
go on by considering either approximate versions or special cases of the problem. 

Mathematical logic is the mathematical meta-tlreory of mathematics. The 
characteristic feature of mathematics is its method of gaining knowledge from 
given knowledge by reasoning. Hence, the meta-tlreory of mathematics is essen- 
tially the theory of reasoning. As any other mathematical theory, one can and 
should ask the question of how much of reasoning can be made algorithmic. The 
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part of mathematical logic that deals with algorithmic methods for reasoning is 
called “computational logic”. Although it is well known that the algorithmiza- 
tion of mathematical reasoning in its most general form in a certain sense is 
not possible, the algorithmization of reasoning under certain restrictions or for 
certain limited - but still extremely broad - areas of mathematics is possible and, 
in fact, is one of the most challenging mathematical endeavors with enormous 
practical significance. 

In fact, as a result of analyzing mathematical invention in the various areas of 
mathematics, it turns out that the transition from the object level to the meta- 
level is not limited to mathematical logic but is one of the main - but mostly 
hidden - instruments of mathematical progress in every field of mathematics and 
at the core of mathematical intelligence and invention. We therefore advocate 
that future mathematical systems must provide a frame for considering both the 
object and the meta-level of mathematical theories and must provide a means for 
the transition from the object level to the metalevel. In fact, “symbolic computa- 
tion” is a term that more and more is used as a common term for both computer 
algebra flavored computational mathematics on the object level and computa- 
tional logic on the meta-level. In other words, “symbolic computation” grows 
into the most general frame for all aspects of algorithmization. More concretely, 
in the recent research efforts of the symbolic computation community, the inter- 
action of computer algebra and computational logic and the applications of the 
results of this interaction for the future automation of “mathematical knowledge 
management” moves into the center of interest. 

In the talk, we will illustrate the above general outline by examples of sym- 
bolic computation algorithms and its underlying theories and by some demos in 
the Tlreorema software system. 
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Abstract. Many verification, planning, and control problems can be 
modeled as games played on state-transition graphs by one or two play- 
ers whose conflicting goals are to form a path in the graph. The focus 
here is on simple stochastic parity games, that is, two-player games with 
turn-based probabilistic transitions and ^-regular objectives formalized 
as parity (Rabin chain) winning conditions. An efficient translation from 
simple stochastic parity games to nonstochastic parity games is given. As 
many algorithms are known for solving the latter, the translation yields 
efficient algorithms for computing the states of a simple stochastic parity 
game from which a player can win with probability 1. 

An important special case of simple stochastic parity games are the 
Markov decision processes with Biichi objectives. For this special case 
a first provably subquadratic algorithm is given for computing the states 
from which the single player has a strategy to achieve a Biichi objective 
with probability 1. For game graphs with m edges the algorithm works 
in time 0(my/m). Interestingly, a similar technique sheds light on the 
question of the computational complexity of solving simple Biichi games 
and yields the first provably subquadratic algorithm, with a running time 
of 0(n 2 / log n) for game graphs with n vertices and 0(n) edges. 



1 Introduction 

Many verification, AI planning, and control problems can be formalized as state- 
transition graphs, and solved by finding paths in these graphs that meet certain 
criteria. Uncertainty about a process evolution is often modeled by probabilistic 
transitions, and then instead of searching for paths we are interested in measur- 
ing the probability that a path satisfies a given criterion, or finding controllers 
that maximize this probability. For decades there have been several separated 
communities studying such problems in the context of stochastic games [13], 
Markov decision processes (MDP’s) [9], AI planning, and model checking. Only 
recently some unification has been attempted. MDP’s can be naturally viewed 
as 1-player stochastic games and the book of Filar and Vrieze [8] provides a 
unified rigorous treatment of the theories of MDP’s and stochastic games. They 
coin the term Competitive MDP’s to encompass both 1- and 2-player stochastic 

* This research was supported in part by the DARPA grant F33615-C-98-3614, the 
ONR grant N00014-02-1-0671, the NSF grants CCR-9988172 and CCR-0225610, and 
the Polish KBN grant 7-T11C-027-20. 
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games. We also suggest to cast various games based on state-transition models 
into a unified framework. For this purpose we use the following parameters. 

— Number of players: “V2” ; Markov chains; 1: nondeterministic state-transition 

systems; MDP’s; 2: game graphs; stochastic games. 

— The players’ knowledge about the course of the game: simple (or turn-based) 
games: the state determines who plays next; concurrent games: the play- 
ers choose moves simultaneously and independently, without knowing each 
other’s choices [13,1,5]. 

— Winning objectives: qualitative (tu-regular) objectives [14]: finite objectives 
(reachability and safety), or infinite objectives (liveness, such as Biiclri or 
general parity conditions), quantitative (reward) objectives [8]: discounted 
reward, or limiting average reward, or total reward. 

— Winning criteria: qualitative criteria [5]: sure winning, almost-sure winning 
(with probability 1) , or limit-sure winning (with probability arbitrarily close 
to 1), quantitative criteria: exact probability of winning, or expected reward. 

We mention a few notable examples of models and problems studied in various 
communities that fit into the above categorization. 

— Summable MDP’s [9,8]: simple M/^-player games with maximum expected 
discounted reward. 

— Mean-payoff games [17]: simple 2-player games with maximum limiting av- 
erage reward. 

— Parity games [12,14]: simple 2-player games with parity objectives. 

— Quantitative simple stochastic games [ 2 ]: simple 2 1 /2-player games with 
reachability objectives and exact probability of winning. 

— Qualitative concurrent w-regular games [4] : concurrent 2 i/a-player games 
with parity objectives and various qualitative winning criteria. 

— Quantitative concurrent w-regular games [6] : concurrent 2 i/Vplayer games 
with parity objectives and exact probability of winning. 

In earlier work [4,11] we studied the complexity of algorithms for solving con- 
current parity games. In particular, we have given efficient reductions from the 
problem of solving concurrent Biichi and co-Biichi games (under the almost-sure 
winning criterion) to the extensively studied problem of solving simple (noncon- 
current) parity games [15,10,16]. In this paper we focus on the following three 
types of games: 

— Qualitative simple stochastic parity games: simple 2 1 /2-player games with 
parity objectives and almost-sure winning criterion. 

— Qualitative Biichi MDP’s: simple M/^-player games with Biichi winning ob- 
jectives and almost-sure winning criterion. 

— Simple Biichi games: simple 2-player games with Biichi winning objectives. 

We use n to denote the number of vertices and m to denote the number of edges 
of a game graph. Our main results can be summarized as follows. 
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Theorem 1. Every qualitative simple stochastic parity game with priorities in 
the set {0, 1 , 2 ,..., d — 1} can be translated to a simple parity game with the same 
set of priorities, with O(d-n) vertices and Old - (■ m + n )) edges, and hence it can 
be solved in time 0(d ■ ( m + n) ■ ( nd ) ) . 



Theorem 2 (Pure memoryless determinacy). From every vertex of a sim- 
ple stochastic parity game either one player has a pure memoryless strategy to 
win with probability 1, or there is a S > 0 such that the other player has a pure 
memoryless strategy to win with probability at least 6. Hence the almost-sure and 
limit-sure winning criteria coincide. 

Theorem 3. Qualitative Biichi MDPs can be solved in time 0(my/m). 

This implies also a complexity improvement for solving MDP’s with reachability 
objectives under the almost-sure winning criterion, for which the best algorithm 
so far had 0{mn) running time [3]. Interestingly, the novel technique we use for 
Biichi MDP’s allows us to shed some light on the important problem of finding 
subquadratic algorithms for simple Biichi games. 

Theorem 4. Simple Biichi games with 0(n) edges can be solved in time 0(n 2 / 
log n) . 

This result and reductions in [11] prove that concurrent games with a constant 
number of actions and with reachability and Biichi objectives under the almost- 
sure and limit-sure winning criteria can also be solved in subquadratic time (the 
best algorithms so far had 0(n 2 ) running time [4]). 

2 Simple Stochastic Parity Games 

Given n £ N, we write [n] for the set {0, 1, 2, . . . , n} and [n]+ for the set 
(1,2, ...,n}. A -player game (or simple stochastic game, or SSG) G = 
( V , E, (Vn ■ Vo, Vq)) consists of a directed graph (V, E ) and a partition (Vq, Vo, 
Vq) of the vertex set V. For technical convenience we assume that every vertex 
has at least one outgoing edge. For simplicity we only consider the case when G 
is binary. An infinite path in G is a infinite sequence (vo, V\, q, . . .) of vertices 
such that ( Vk , Ufc+i) £ E for all k £ N. We write i? for the set of all infinite paths. 
The game is played with three players that move a token from vertex to vertex 
so that an infinite path is formed: from vertices in V a , player Even (□) moves the 
token along an outgoing edge to a successor vertex; from vertices in Vo, player 
Odd (O) moves the token; and from vertices in Vq, player Random (O) moves 
the token. If there are two outgoing edges, then player Random always moves 
the token to one of the two successor vertices with probability 1/2. Since player 
Random does not have a proper choice of moves, as the other two players do, 
we use the ^-player terminology for player Random. The 2-player games are 
the special case of the 2!/2-player games with Vq = 0. The 1 1 / 2 -player games 
(or MDP’s) are the special case of the 2Y2-player games with Vo = 0. In other 
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words, in 2-player games, the only players are Even and Odd; and in 1 72 -player 
games, the only players are Even and Random. 

Strategies. For a finite set A, a probability distribution on A is a function 
/ : A — > [0, 1] such that J2 a eA /( a ) = 1- We denote the set of probability 
distributions on A by T>(A). A (mixed) strategy for player Even is a function 
a : V* ■ Vo — > 2?( V) such that for every finite and nonempty sequence v £ V* ■ Vn 
of vertices, which represents the history of the play so far, a(v) is the next move 
to be chosen by player Even. A strategy must prescribe only available moves, i.e. , 
if (v, u) E, then a(w • v)(u) = 0. The strategy er is pure if for all w £ V* and 
v £ Vn, there is a vertex u such that a(w ■ v)(u) = 1. The strategies for player 
Odd are defined analogously. We write E and 77 for the sets of all strategies for 
players Even and Odd, respectively. A memoryless strategy is a strategy which 
does not depend on the history of the play but only on the current vertex. A pure 
memoryless strategy for player Even can be represented as a function er : V a — > V 
such that (v, a(v)) £ E for all v £Va- 

For an initial vertex v, and two strategies a £ E and n £ II for players Even 
and Odd, respectively, we define Outcome (v, er, 7r) C 17 to be the set of paths 
that can be followed when a play starts from vertex v and the players use the 
strategies a and 7 r. Formally, (vo, V\, i> 2 , . . .) £ Outcome(v,a,n) if Vq = v, and 
for all k > 0, we have that v k £ Vq implies (vk,Vk+i) £ E, v k £ Vn implies 
a(v 0 ,vi,...,Vk)(vk+ i) > 0, and v k £ Vo implies tt(v 0 , Vi, . . . , v k )(v k+1 ) > 0. 
Once a starting vertex v and strategies a £ E and 7r £ 77 for the two players 
have been chosen, the probabilities of events are uniquely defined, where an event 
A C 12 is a measurable set of paths. For a vertex v and an event A C 12, we 
write Pr°’ w [A] for the probability that a path belongs to A if the game starts 
from v and the players use the strategies a and n. 

Winning objectives. A winning objective for a SSG G is a set W C 12 of 
infinite paths. We consider the following winning objectives. 

— Biichi objective. For a set T C V of target vertices, the Biichi objective is de- 
fined as Biichi(T) = {(uo, ifi, V 2 ...) £ fi : v k £ T for infinitely many k > 0}. 

— Parity objective. Let p : V — > [<7] be a function that assigns a priority p(v) to 
every vertex v £ V, where d £ N. For an infinite path v = ( vo , v\, . . .) £ 12, 
we define Inf(u) = {i £ [<7] : p(v k ) = i for infinitely many k > 0}. The Even 
parity objective is defined as Parity(p) = {u £ 12 : min (inf(u)) is even}, and 
the Odd parity objective as co-Parity(p) = { v £ 12 : min (inf(u)) is odd }. 

Note that for a priority function p : V — > [1] with only two priorities (0 
and 1), an even parity objective Parity (p) is equivalent to the Biichi objec- 
tive Biichi (p _ 1 (0)), i.e., the target set consists of the vertices with priority 0. A 
2 V 2 -player parity game (or parity SSG) is a pair ( G,p ), where G is a 2 ^-player 
game and p is a priority function. If G is a 2-player (resp. 1 1 / 2 -player) game, then 
( G,p ) is a 2-player parity game (resp. Vfe-player parity game, or parity MDP). 
A 2-player Biichi game is a pair ( G,T ), where G is a 2-player game and T is 
a set of target vertices. If G is a 172 -player game, then ( G,T ) is a IV 2 -player 
Biichi game (or Biichi MDP). 
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Winning criteria. Consider an SSG G with winning objective W. We say that 
a strategy a € £ for player Even is 

— sure winning from vertex v if for all strategies 7r € 77 of player Odd, we have 
Outcome(v,<T,Tr) C W; 

— almost-sure winning from vertex v if for all strategies ir € 77 of player Odd, 
we have Pr £ ,7r [W] = 1; 

— positive-probability winning from vertex v if there is a S > 0, such that for 
all strategies n G 77 of player Odd, we have Pr^ ,7r [W’] > <5. 

The definitions for player Odd are similar. We shall see that player Even has an 
almost-sure winning strategy for W from v if and only if player Odd does not 
have a positive-probability winning strategy for J2\W from v. For 2-player games 
all three of the above winning criteria coincide, i.e., the existence of a positive- 
probability winning strategy for a player implies the existence of a sure winning 
strategy. In this paper we consider the dual criteria of almost-sure winning (i.e., 
winning with probability 1) and positive-probability winning, for 2 1 / 2 - and 1 1 / 2 - 
player games, and the criterion of sure winning for 2-player games: 

— The problem of solving a 2 1 /2-player (resp. 1 1 / 2 -player) parity game ( G,p ) 
is to compute the set of vertices of G from which the player Even has an 
almost-sure winnning strategy for the objective W = Parity (p). 

— The problem of solving a 2-player parity game (G,p) is to compute the set 
of vertices of G from which the player Even has a sure winnning strategy for 
the objective W = Parity (p). 

3 Solving 2 1 /2-Player Parity Games 

The main result of this section is an algorithm for solving 2 1 / 2 -player parity 
games, which is obtained by an efficient reduction to 2-player parity games, i.e., 
a proof of Theorem 1. As in our earlier work [11], the key technical tool for 
the correctness proof of the reduction is the notion of ranking functions, which 
witness the existence of winning strategies for the players. Our ranking functions 
are closely related to the semantics of the /./-calculus formulas that express the 
winning sets of concurrent stochastic parity games [4], but due to the lack of 
concurrency in our games, the defining conditions for our ranking functions are 
considerably simpler. Two corollaries of our proof are of independent interest. 
First, we establish the existence of pure memoryless winning strategies for both 
players in simple stochastic parity games (Theorem 2). This is in contrast to 
concurrent games, where players need mixed strategies with infinite memory [4]. 
Second, in simple stochastic parity games the almost-sure and limit-sure winning 
criteria coincide (Theorem 2), which is not the case for concurrent games [4]. 

3.1 Ranking Functions 

In this subsection we provide a characterization of the “universal” parity MDP 
problem. We define certain sufficient conditions for establishing that for all 
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strategies 7 r, the Markov chain M n satisfies the parity condition with proba- 
bility 1, or with probability at least <5 > 0. These sufficient conditions are then 
used in the next subsection to prove correctness of our solution for 2 1 / 2 -player 
parity games: a strategy a is winning for a player if and only if the parity MDP 
G a is a solution to the universal parity MDP problem. 

Consider a parity MDP M = (V, E, (Vo, Vq),p : V —1 [d]). Without loss 
of generality assume that d is even. A ranking function for player Even labels 
vertices with (d/2)-tuples of natural numbers: p = (tp 1 , p 3 , . . . , : V —> 

[?r] d / 2 U { 00 }, for some n £ N. For succinctness, for all odd k £ [d] we write 
~pf k (v) to denote the tuple (p 1 (v) , p 3 (v) , . . . , </3 fe (u)). We often call tp(v) the rank 
of vertex v, and we call p k (v) the fc-th rank of vertex v. A ranking function 
for player Odd is a function ip = (ip°, ip 2 , . . . , ip d ) : V —1 [n] d / 2+1 U { 00 }; we use 
similar notational conventions as with ranking functions for player Even. For 
all v £ Vq, we write Pr (resp. Pr t ,[V^<]) for the one-step probability of 
reaching from vertex v a successor u of v such that ~$ k (u) <i ex p k {v) (resp. 
p k (u) <ie X p k (v)). In other words, Pr„["^<] is the probability in vertex v of 
strictly decreasing the fc-th rank in one step, and Pr„["^<] is the probability 
of not increasing the k- th rank. Moreover, we write Pr„[y> <00 ] (or for notational 
convenience Pr„ [”^< 1 ]) for the one-step probability of reaching from v a successor 
u of v such that p(u) ^ 00 . We always use these notations in the context of 
expressions such as Pr.„["<^<] = 1 or Pr„pjJ<] > e. By slight abuse of notation, 
for vertices v £ Vo we also write Pr.u[v^<] and Pr.„[^<] in such expressions, 
and then we mean those expressions to hold if and only if they hold for all 
mixed one-step strategies in vertex v. It is easy to verify that if either of the two 
expressions above holds for all pure one-step strategies in v, then it also holds 
for all mixed one-step strategies. 

Definition 1 (Almost-sure ranking). A ranking function <p : V — > [n] d ^ 2 U 
{00} for player Even is an almost-sure ranking if there is an e > 0 such that for 
every vertex v with p{v) ^ 00, the following condition C v holds: 

- p(v) even: Vodd »e[p(„)] ( p D>[VT : 2 ] = lAPr^^] > e) V (Pr v [^ (,,)_1 ] = 1 ), 

- p{v) odd: V odd i 6 |p(*)]( Pr ®["^<" 2 ] = 1 A ^ £ )- 

Proposition 1 . Let k £ [d] be an odd priority. Then for every vertex v with 
ip(v) ^ 00 the following conditions hold. 

(a) If p(v) = k, then in one step from vertex v the k-th rank decreases with 
probability at least e. 

(b) Ifp(v) > k, then in one step from vertex v either the k-th rank decreases with 
probability at least e, or the k-th rank does not increase (with probability 1). 

Lemma 1 . Let p be an almost-sure ranking for a parity MDP. Then for ev- 
ery (mixed) strategy of player Odd, the Even parity objective is satisfied with 
probability 1 from every vertex v with p(v) ^ 00. 

Proof. Once the strategy for player Odd is fixed, a play in the parity MDP is 
an infinite random walk. We argue that this random walk satisfies the Even 
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parity objective with probability 1. From our discussion above it follows that 
the conditions expressed in the definition of an almost-sure ranking hold for all 
mixed one-step strategies of player Odd, and since our reasoning below is carried 
out using only these conditions, it applies to all mixed strategies for player Odd. 

In order to prove that with probability 1, the lowest priority occurring in- 
finitely often is even, it suffices to show that for every odd priority k £ [d], if 
vertices of priority k keep occurring in the random walk, then with probability 1 
eventually a vertex of lower priority occurs. First note that from the definition of 
an almost-sure ranking, it follows that all successors of a vertex with finite rank 
have finite rank: one of the conditions Pr„["^<] = 1 must hold so the z-tlr rank 
cannot increase in any step and thus the rank stays finite. Let k £ [d] be odd. 
For the sake of contradiction assume that from some point on vertices of prior- 
ity k keep occurring, but no vertex of a lower priority ever occurs. In this case 
Proposition 1 implies that in every step either the fc-tli rank does not increase 
with probability 1, or it decreases with probability at least e, and moreover, in 
every step from a vertex of priority k the fc-tli rank decreases with probability at 
least e. As there are N = (n + l)i fc+1 l/ 2 different values of a fc-th rank, within at 
most N visits to a vertex of priority k the k - th rank must decrease to (0, . . . , 0) 
with probability at least e N . Thus with probability 1 a vertex with k - th rank 
(0, . . . , 0) is eventually reached. This contradicts the assumption that priority k 
occurs infinitely often: no vertex of priority k can have its A'-tli rank equal to 
(0, . . . , 0), because by Proposition 1(a) a step from such a vertex has to decrease 
the fc-tlr rank with positive probability and (0, . . . , 0) is the smallest rank. ■ 



Definition 2 (Positive-probability ranking). A ranking function ip : V — > 
[ n ]d/2+i u{oo} for player Odd is a positive-probability ranking if there is am > 0 
such that for every vertex v with ip(v) ^ oo, the following condition D v holds: 

- p(v) even: (Pr„[^° ] > e) V Veven ie[p(„)] + ( p L,h% 2 ] = 1 A Pr 4^<] > e), 

- p(v) odd: (Pr„[z/^° ] > e) V Veven ie\p{vj\+ ( p r«hfcf 2 ] = 1 A Pr 4^<] > e) V 

(Pr,[^f } ] = 1). 

A proof similar to that of Lemma 1 can be used to prove the following lemma. 

Lemma 2. Let ip be a positive-probability ranking for a parity MDP. Then there 
is a S > 0 such that for every ( mixed ) strategy of player Even, the Odd parity 
objective is satisfied with probability at least 5 from every vertex v with ip(v) ^ oo. 



3.2 The Reduction 

Given a 21 / 2 -player parity game G = (V,E,(Vo,Vo,Vq),p : V — > [d]), we con- 
struct a 2-player parity game G with the same set [d] of priorities. For every 
vertex v € V a U V<>, there is a vertex v € V with “the same” outgoing edges, i.e., 
( v , u) € E if and only if (v, 12) £ E. Each random vertex v € Vq is substituted by 
the gadget presented in Figure 1. More formally, the players play the following 
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(v, o) 




Fig. 1. Gadget for reducing 21 / 2 -player parity games to 2-player parity games. 

3-step game in G from vertex v of priority p(v). First, in vertex v player Odd 
chooses a successor (v,k), each of priority p{v), where k £ [p(v) + 1] is even. 
Then in vertex (v, k ) player Even chooses from at most two successors: vertex 
(v, k — 1) of priority k — 1 if k > 0, or vertex (v, k ) of priority k if k < p(v). 
Finally, in a vertex (v, k ) the choice is between all vertices u such that (v, u ) £ E, 
and it belongs to player Even if k is odd, and to player Odd if k is even. 

Lemma 3. For every vertex v in G, if player Even (resp. Odd) has a sure 
winning strategy from vertex v in G, then player Even (resp. Odd) has an almost- 
sure (resp. positive-probability) winning strategy from v. 

Proof. We prove the claim for player Even. The case of player Odd is similar 
and is omitted here. If Wn is the set of vertices from which player Even has a 
winning strategy in G, then there is a ranking function (also called a progress 
measure [10]) Tp : V — 1 [n] d ^ 2 U { 00 } (where n < |V|) such that Tp(w) y^ 00 for 
all w £ Wa ■ This ranking function induces a memoryless winning strategy a for 
player Even in G [10]. We define a ranking function ip and a memoryless strategy 
for player Even <7 for G by setting <p{v) = tp(v) and cr(v) = <t(f) for every v £ V. 
Taking the strategy subgraph of a in G we obtain a parity MDP M. In order to 
prove the claim, by Lemma 1 it suffices to argue that tp is an almost-sure ranking 
for M. It is easy to verify that the ranking condition G v holds for all vertices v 
Vq with tp(v) y^ 00 . We prove that the ranking condition C v holds for all vertices 
v £ Vq with tp(v) y^ 00 . Let k £ [p(u)] + . Since vertex v belongs to player Odd, 
the edge leading to vertex (v, k) must be in M. Vertex (v, k) belongs to player 
Even, so either the edge leading to vertex (v, k — 1) or the one leading to vertex 
(v, k ) belongs to M. In the former case, by analyzing the inequalities between Tp- 
ranks of vertices on the path from v to the successor of (v, fc — 1) in M which hold 
by the definition of a ranking function [10], we can deduce that Pr„[I/^(v - 1 ] > 1/2 
holds. In the latter case, we get that Pr„[l^< x ] = 1 holds. Considering all edges 
that lead out of vertex v in M, we conclude that the following condition holds: 
(Pr„[^<oo] = 1) A Aoddie[ P Ml( Pr «r^<] = 1 v Pr A^<] > i/ 2 )- This condition 
can be shown to imply the ranking condition C v using the two simple properties 
that if i,j £ [p(v)\ are odd and i < j, then Pr «["^<] = 1 implies Pr^[^<] = 1, 
and Pr„[^<] > e implies Pr^["^/ ; ] > e. I 
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Algorithm 1 Classical algorithm for Biichi MDP’s 

Input : 1 1 / 2 -player Biichi game ( G , T). Output: Wq and Wa = V \ Wq. 
1. Go := G; 2. Wo ■= 0; 3. i := 0 
4. repeat 

4.1 Wi+i := One-Iteration-Of-The-Classical-Algorithm(Vi) 

4.2 Vi+i := Vi \ Wi+ 1; i := i + 1 

until Wi - 0 

5- W 0 := ULi W k 

Procedure One- Iteration- Of- The- Classical- Algorithm 
Input: set V ] C V. Output: set Wi+ 1 C Vi. 

1. Ri := Reach(T D Vi, Vi); 2. Tn := Id \ 7?i; 3. Wj+i := AttrQ^Tr, Vi) 



4 An 0(m^/rn) Algorithm for lA/^-Player Biichi Games 

In this section we consider 1 1 / 2 -player games with Biichi winning objectives, 
i.e., Biichi MDP’s. There are two players, Even and Random. We write T for 
the set of target vertices, which player Even attempts to visit infinitely often. 
By Wa we denote the set of vertices from which player Even has an almost-sure 
winning strategy, and by Wq tire set from which the Biichi objective is violated 
with positive probability for all strategies of player Even. We call these sets the 
winning sets for player Even and Random, respectively. The main result of this 
section is an 0(ny/n) algorithm for computing Wa and Wq for a M/h-player 
Biichi game with n vertices and O(n) edges. This proves Theorem 3, because 
a game graph with m edges can be easily converted in 0(m + n) time to an 
equivalent game graph with 0{m) vertices and 0(m) edges. 

In the rest of the paper we use the following notations for a graph G = (Vj E) 
and a set S' C V of vertices. We write succ(v, G) = {u £ V : (v, u) £ E } for the 
set of immediate successors of vertex v. We define In(S, G) = {(v,u) £ E : v £ 

5 and u £ S } to be the set of edges that enter set S, and Source(S, G) = {v £ 
V : ( v , u) £ In(S, G) for some u } is the set of sources of edges that enter S. We 
write Reach(S, G) for the set of vertices from which there is a path in graph G 
to a vertex in S. Let (Vn.V*) be a partition of the set V of vertices (player □ 
moves from the vertices in Va and player * moves from the vertices in V», where 
* G {0,0})- We inductively define the set Attra{S,G) of vertices from which 
player □ has a strategy to reach the set S in the following way. Set i?o = S, and 
for k > 0, set Rk+i = Rk U { v £ V a : (v,u) £ E for some u £ f?fc}U{u£ 
V, : u £ R k for all (v,u) £ E }. Let Attr a {S,G) = U fc R k - We define the set 
Attr*(S,G) in a similar way. We fix a graph G until the end of the paper and 
by a slight abuse of notation instead of putting graphs as the second parameters 
of all the above definitions, we will write a subset S of the vertices to stand for 
the subgraph of G that is induced by the set S of vertices. 

The classical algorithm (Algorithm 1 [3]) works as follows. First it finds 
the set of vertices R from which the target set T is reachable. The rest of the 
vertices Tr = V \ R { a “trap” for player Even) are identified as winning for 
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player Random. Then the set of vertices W, from which player Random has a 
strategy to reach its winning set Tr, is computed. Set W is identified as a subset 
of the winning set for player Random and it is removed from the vertex set. 
The algorithm then iterates on the reduced game graph. In every iteration it 
performs a backward search from the current target set to find vertices which 
can reach the target set. Each iteration takes 0(n ) time. 

Our improved algorithm (Algorithm 2) differs from the classical algorithm 
by selectively performing a backward search as the classical algorithm does, or 
a cheap forward exploration of edges from vertices that are good candidates to 
be included in the winning set of player Random. In Step 4.1 of the improved 
algorithm, if the number of edges entering the set of vertices included in the 
previous iteration into the winning set of player Random is at least as big as a 
constant k, then we run an iteration of the classical algorithm. Otherwise, i.e., 
if this number is smaller than k, then let S be the set of sources of edges that 
enter the set of vertices winning for player Random in the previous iteration. The 
vertices in S are considered as candidates to be included into the winning set 
of player Random in the current iteration. In Step 4. 2. 2.1 (procedure Dovetail- 
Explore ) a dovetailing exploration of edges is performed from all vertices in S. 
From all vertices v € S, up to £ edges are explored in a round-robin fashion. 
If the forward exploration of edges from a vertex v £ S terminates before £ 
edges are explored, and none of the explored vertices is in the target set, then 
the explored subgraph is included in the winning set of player Random. If Step 
4. 2. 2.1 fails to identify a winning set of player Random, then in Step 4.2.4 an 
iteration of the classical algorithm is executed. The winning set discovered by 
the iteration of the classical algorithm in Step 4.2.4 must contain at least £ edges 
as otherwise it would have been discovered in Step 4. 2. 2.1. 

Lemma 4. Algorithm 2 correctly computes the sets Wq and Wa ■ 

Proof. We prove by induction that My computed in any iteration of the improved 
algorithm satisfies My C Wq. Base case: Wo = 0 C Wq. 

Inductive case: we argue that W t C Wq implies My + i C Wq. 

1. If Step 4.1 is executed, then My + -| C Wq by correctness of the classical 
algorithm. 

2. If Step 4.2.2 is executed, then a nonempty set R v is included in Thj+i in Step 
3.3 of procedure Dovetail-Explore. By the condition in Step 3.3 of Dovetail- 
Explore, no vertex in R v can reach a vertex outside of R V1 and since R v fl 
T (~l Vi = 0, we conclude that T t cannot be reached from any vertex in R v . 
Therefore R v C Wq and Tr l+ i C Wq. Hence U C Wq and My + i C Wq. 

3. If Steps 4.2.2 and 4.2.4 are executed, then U C Wq and the correctness of 
an iteration of the classical algorithm imply Wj+i C Wq. 

The other inclusion Wq C Wq follows from the correctness of the classical 
algorithm, because the termination condition of the loop in Step 4 implies that 
Try = 0 holds so the last iteration was an iteration of the classical algorithm. I 

Lemma 5. The total work in Step f.2.2.1 of Algorithm 2 is Olkn). 
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Algorithm 2 Improved Algorithm for Biichi MDP’s 

Input: lY 2 -player Biichi game ( G, T ). Output: Wq and Wa = V \ Wq. 

1. Go := G; 2. Wo := 0; 3. i := 0 

4. repeat 

4.1 if | In(Wi, Vt U Wi ) | > k then 

4.1.1 Wi + 1 := One-Iteration-Of-The-Classical-Algorithm{Vi) 

4.2 else (| In(W u Vi U Wi)\ < k) 

4.2.1 U :=0 

4.2.2 repeat 

4.2.2. 1 TV; = Dovetail- Explore (Vi \ U, Source(Wi U U, Vi U 114)) 

4. 2. 2. 2 U =: UU Attr 0 (Tn,Vi\U) 

until |/n(Wi U C7, V U Wi) \ < k and Tn ± 0 

4.2.3 if Tri ^ 0 then W i+ i := U f/ 

4.2.4 else I44+i := U U ( One-Iteration-Of-The-Classical-Algorithm(Vi \ U)) 

4.3 14+ 1 := Vi \ Wi+i 

4.4 i := i + 1 

until Wi = 0 

5- Wq := ULi 

Procedure Dovetail- Explore 

Input: set S V Vi and graph G; = (Vi,Ei). Output: set Tri C 14;. 

1. := 0; 2. ec := £ 

3. repeat 

3.1 ec := ec — 1 

3.2 for each vertex v £ S 

extend the sub-graph R v C 14 by exploring a new edge 

3.3 if there is v G S s.t. for all u £ R v , succ(u, 14) C and I?„ fl T fl 14 = 0 

then return Tn := 
until ec = 0 

4. return TV, 



Proof. Consider the following two cases. 

1. If a nonempty set of vertices R v is included in the set Tri in Step 3.3 of 
Dovetail-Explore, and the number of edges in the induced subgraph R v is e*, 
then the total work done in Step 3 is O(fce.j), because \Source(Wi U [/, 14 U 
IT, ) | < k. Since e* edges are removed from the graph and the number of all 
edges in the graph is 0(n), the total work over all iterations of Dovetail- 
Explore when a nonempty set R v is included in a set Tr, is O(kn). 

2. If Tri = 0 after executing the procedure Dovetail-Explore, then the work 
done there is O(ki). Whenever this happens, the subgraph induced by the set 
of vertices Tr, discovered by the following iteration of the classical algorithm 
must have more than l edges. This can happen at most 0(n/£ ) times, because 
the number of edges in the graph is 0(n). Hence the total work over all 
iterations is 0((n/£)k£) = 0(kn). ■ 

Lemma 6. The total work in Step f.2.2.2 of Algorithm 2 is 0(n), in Step 4-2.2 
it is O(kn), in Step 4-1 it is 0(n 2 /k), and in Step 4-2-4 it is 0(n 2 /£). 
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Lemma 7. Algorithm 2 solves 1 1 /i -player Biichi games with n vertices and 0(n ) 
edges in time 0(ny/n). 

Proof. Correctness follows from Lemma 4. By Lemma 6 the work in Steps 4.1, 
4.2.2, and 4.2.4 is 0(n 2 /k + kn + n 2 /£). Take k = i = ^fn. to get the 0(nyfn) 
bound for the total work. ■ 

5 An 0(n 2 /\ogn) Algorithm for 2-Player Biichi Games 

In this section we consider 2-player games of the form (G, T), where T for the 
set of target vertices. By Wn we denote the set of vertices from which player 
Even has a strategy to visit a state in T infinitely often, and by Wo the set 
of vertices from which player Odd can avoid visiting T infinitely often. These 
are the winning sets for player Even and Odd, respectively. By determinacy of 
parity games [7] we have Wo = E\Wn. Inspired by the algorithm of the previous 
section, we provide an algorithm for computing the set Wo in time 0{n 2 / log n) 
if G has n vertices and O(n) edges, a proof of Theorem 4. A graph is binary if 
every vertex has at most two successors. For simplicity we present the algorithm 
for the case when the game graph is binary. 

The classical algorithm for solving 2-player Biichi games (Algorithm 3 [15]) is 
very similar to the classical algorithm of the previous section. The only difference 
is that in step 1 of each iteration i we compute set f?, to be the set of vertices 
from which player Even has a strategy to reach set T, i.e., Ri = Attra{T, V]); 
and in step 3 the set W l+ \ is the set of vertices from which player Odd has a 
strategy to reach set Trt. Then the winning set of player Even is obtained as the 
union of the sets IT) over all iterations. 

Note that in step 1 of every iteration i an 0{n ) backward alternating search 
is performed to compute the set f?j. The key idea of our improved algorithm (Al- 
gorithm 4) is to perform a cheap forward exploration of edges in some iterations 
in order to discover subsets of the winning set for player Odd. The improved 
algorithm for 2-player Biichi games differs from the improved algorithm of the 
previous section in the way the forward exploration is performed. In order to de- 
tect a trap for player Even in which player Odd has a winning strategy, we need 
to consider all successors of every vertex in the forward exploration. Let S be 
the set of sources of edges entering the winning set of player Odd discovered in 
the previous iteration, and let |5'| < k. The vertices in set S are new candidates 
to be included in the winning set of player Odd. From these vertices a BFS of 
depth logt' is performed in Step 4.2.2. 1 of Algorithm 4. In step 4. 2. 2. 4 we check 
if the explored subgraph contains a trap for player Even in which player Odd has 
a winning strategy. If no such trap is detected then one iteration of the classical 
algorithm is executed. The key for the subquadratic bound of our algorithm is 
the observation that if step 4.2.2 fails to identify a non-empty winning subset 
for player Odd, then the set discovered by the following iteration of the classical 
algorithm has at least logf' vertices. 

We say that a set of vertices S is an Even trap in a graph G if for all v G S , 
we have succ(v, G) C S if v G Vo, and succ(v, G) 0 S 0 if v G Vo- It is easy 
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Algorithm 3 Classical Algorithm for 2-player Biichi Games 
Input : 2-player Biichi game ( G,T ). Output: Wo and Wa = V \ Wo- 
[Steps 1.-4. are the same as in Algorithm 1] 

5. Ho := ULi W * 

Procedure One-Iteration- Of- The- Classical- Algorithm 
Input: set V t C V. Output: set Wi + 1 C Vi. 

1. Ri \= Attr a (T n Vi, Vi); 2. Tn :=Vi\Ri ; 3. W i+1 := Attro(Tri, V t ) 



Algorithm 4 Improved Algorithm for 2-player Biichi Games 

Input : 2-player Biichi game ( G,T ). Output: Wo and Wa = V \ Wo- 
[Steps 1.-3. and 4.1 are the same as in Algorithm 2] 

4. repeat 

4.2 else (|/n(WA V U Wf) \ < k) 

4.2.1 Tn : = 0 

4.2.2 for each vertex v £ Source(Wi, V U Wi) 

4. 2. 2.1 Find the reachable subgraph R v by a BFS of depth logf 

4. 2. 2. 2 Let F v denote the set of vertices at depth logf 

4.2. 2. 3 T' v := {v £ Vo n F v : succ(v, G t ) n R v = 0} U (Vb n F v ) 

4.2. 2. 4 R' v ■.= Attr a ({R v nT CVi)OT' v ,R v ) 

4. 2. 2. 5 Tn := Tn U (R v \ R' v ) 

4.2.3 if Tri ^ 0 then Wi+ i := Attro{Tn,Vi) 

4.2.4 else Wi+i := One-Iteration-Of-The-Classical-Algorithm{Vi) 
until Wi = 0 

5. Wo := ULi 



to verify that if P C V then the set V \ Attra{P, V), i.e. , the complement of an 
Even attractor, is always an Even trap in the graph induced by vertices in set V. 
Intuitively, player Odd can prevent player Even from leaving an Even trap, and 
hence if S n T = 0 then a trap is included in the winning set of player Odd in 
the Biichi game (G, T); we call such a set an Even trap winning for player Odd. 

Lemma 8. Algorithm 4 correctly computes the sets Wo and Wa- 

Proof. We prove by induction that W, computed in any iteration of the improved 
algorithm satisfies W t C Wo- The proof is similar to Lemma 4 and differs only 
for case 2, which we prove now. If Steps 4.2 and 4.2.3 get executed in iteration 
i, then every nonempty set R v \ R' v included in the set Tr j+i is an Even trap 
winning for player Odd in the subgraph of G induced by the set of vertices 
Vj. It is an Even trap because for every vertex u £ V n (~l (R v \ F v ), we have 
succ(u, Vi) C R v , and as a complement of an Even attractor it is an Even trap 
in the subgraph induced by set R v . The set R v \ R' v is moreover an Even trap 
winning for player Odd , because by step 4. 2. 2. 4 all target vertices in the set R v 
are included in the set R' v . I 
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Lemma 9. Let R v be a set computed in Step 4-3.2. 1. Let S be an Even trap 
winning for player Odd such that v € S, all vertices of S are reachable from v, 
and |5| < logC Then S C R v \ R' v , and hence S is discovered in Step 4-2.2. 

Lemma 10. The total work in Step 4-1 of Algorithm 4 is 0(n 2 /k), in Step 4-2.2 
it is 0(k£n), and in Step 4-3-3 it is 0(n). 

Lemma 11. Algorithm 4 solves 2-player binary Biichi games in time 0(n 2 / 
log n) . 

Proof. Correctness follows from Lemma 8. The work of Step 4.2.4 is 0(n 2 / log £) 
by Lemma 9. The work of Steps 4.1, 4.2.2, and 4.2.4 is 0(n 2 / k + k£n + n 2 / log £) 
by Lemma 10. Take £ = n e with 0 < £ < 1 and k = logn to get the 0{n 2 / log n) 
upper bound for the total work. By Lemma 10 the work in Step 4.2.3 is O(n), 
hence the time complexity of Algorithm 4 is 0(n 2 / log n). I 
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Abstract. We give machine characterizations of the complexity classes 
of the W-hierarchy. Moreover, for every class of this hierarchy, we present 
a parameterized halting problem complete for this class. 



1 Introduction 

Parameterized complexity theory provides a framework for a refined complexity 
analysis of algorithmic problems that are intractable in general. Central to the 
theory is the notion of fixed-parameter tractability, which relaxes the classical 
notion of tractability, polynomial time computability, by admitting algorithms 
whose runtime is exponential, but only in terms of some parameter that is usu- 
ally expected to be small. As a complexity theoretic counterpart, a theory of 
parameterized intractability has been developed. In classical complexity theory, 
the notion of NP-completeness is central to a nice and simple theory for in- 
tractable problems. Unfortunately, the world of parameterized intractability is 
more complex: there is a big variety of seemingly different classes of parameter- 
ized intractability. Nevertheless, it can be argued that the classes W[l], W[2], . . . 
of the W-hierarchy together with some other classes like W[P] correspond to NP 
in classical complexity theory. In particular, all these classes are defined by pa- 
rameterized variants of the NP-complete satisfiability problem. Unfortunately, 
the definition of these classes by means of complete problems makes it not easy 
to understand them. The authors of [4] tried to remedy this situation by present- 
ing machine characterizations for some of the classes. But as they remarked “it 
remains an interesting open problem to find natural machine characterizations 
for the classes W [t] for t > 2”. In this paper we obtain such characterizations. 

By definition, a parameterized problem is fixed-parameter tractable, if it is 
decidable by a (deterministic) algorithm in at most f(k) ■ p(n) steps for some 
computable function / and some polynomial p. Here k denotes the size of the 
parameter and n the size of the input. Problems in any of the “intractable” 
parameterized complexity classes mentioned so far, also are decidable in at most 
f(k) ■ p(n) steps but by a nondeterministic algorithm. Thus, a first attempt to 
characterize one of these intractable classes by machines consists in considering 
nondeterministic algorithms that perform at most /(fc)-p(n) steps but restricting 
further the number of nondeterministic steps. This approach led to the following 
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results in [4]: A problem is in W[P] if and only if it is decidable in at most 
f{k) ■ p{n) steps by an algorithm whose number of nondeterministic steps is 
bounded in terms of the parameter. Similarly, a problem is in W[l], if in addition 
the nondeterministic steps are performed at the end of the computation. 

Already in [4], nondeterministic random access machines turned out to be the 
appropriate machine model in order to get clear formulations of the characteri- 
zations. In their nondeterministic steps these machines are able to guess natural 
numbers (< f(k) ■ p(n)); these numbers are considered as names of objects. To 
obtain machine characterizations of the classes of the W-hierarchy we have to 
consider the corresponding alternating random access machines, but at the same 
time we have to ensure that the programs only have access to (the properties of) 
the elements named by the guessed numbers and not to the numbers themselves. 

In [3], Cesati and Di Ianni prove that the halting problem p-HPNMT for 
nondeterministic multitape Turing machines, parameterized by the number of 
steps, is W[2]-lrard by reducing the parameterized dominating set problem to 
it: the machine first guesses the elements of a dominating set and then checks 
that they really constitute a dominating set. An analysis of the use of and the 
access to the guessed elements in this algorithm helped the authors to find the 
machine characterizations of the classes of the W-hierarchy. In Section 4 we 
present a (short) proof of membership in W[2] of p-HPNMT by reducing it to a 
model-checking problem in W[2], a result obtained in [2] by different means. 

As the corresponding proof in [4] shows, the machine characterization of 
W[l] is closely related to the W[l]-completeness of the halting problem for non- 
deterministic Turing machines. For t > 2, the W[f]-complete halting problem we 
present in the last section refers to alternating Turing machines with oracles and 
it is not so closely related to the corresponding machine characterization but to 
a logical model-checking problem complete for W[t]. 

2 Preliminaries 

In this section we recall some definitions and results and fix our notations. 

2.1. Relational Structures and First-Order Logic. A vocabulary r is a 
finite set of relation symbols. Each relation symbol has an arity. A (relational) 
structure A of vocabulary r, or r-structure, consists of a set A called the uni- 
verse , and an interpretation R A C A r of each r- ary relation symbol R £ t. 
We synonymously write a £ R A or R A a to denote that the tuple a £ A r be- 
longs to the relation R A . For example, we view a directed graph as a structure 
Q = (G,E g ), whose vocabulary consists of one binary relation symbol E. Q is 
an (undirected) graph , if E & is irrcflexive and symmetric. 

The class of all first-order formulas is denoted by FO. They are built up 
from atomic formulas using the usual boolean connectives and existential and 
universal quantification. Recall that atomic formulas are formulas of the form 
x = y or Rxi . . . x r , where x,y,x \, ...,x r are variables and R is an r- ary relation 
symbol. For t > 1, E t denotes the class of all first-order formulas of the form 



3xn . . . 3xikfdx2\ ■ ■ ■ Vx 2 k 2 ■ ■ ■ Qx t i ■ ■ • Qxtk t tp, 
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where Q = V if t is even and Q = 3 otherwise, and where ip is quantifier- free. 77 1 - 
formulas are defined analogously starting with a block of universal quantifiers. 
Let t,u> 1. A formula ip is St,u, if it is S t and all quantifier blocks after the 
leading existential block have length < u. 

If <7 is a class of formulas, then ( I> [r] denotes the class of all formulas of 
vocabulary r in <P. If A is a r-structure and ip £ FO[t] a sentence, i.e., a formula 
without free variables, then we write A \= ip to denote that A satisfies ip. 

The proof of the following lemma is easy. 

Lemma 1. Let tpi(x) , . . . , tpm(x) and ipi(x,y), . . . ,ip m (x,y) be formulas in 
FO[t], where x = x\...x r and y = y\...y s are sequences of variables that 
have no variable in common. Assume Qi, . . . , Q r , Q [, . . . , Q' s £ {V, 3}. If A is a 
r-structure with A |= Vx -> (ipt A ipj) for i ^ j, then A satisfies both or none of 
the formulas 

QiX\ . . . Q r x r ^ QiVi • • * QsVs'^Pi)-) 

Q l2fi • • • QrXrQlVl ■ ■ ■ Q'sVs ^i)- 

2.2. Parameterized Complexity. A parameterized problem is a set Q C S* x 
77*, where S and 77 are finite alphabets. If (x,y) £ S* x 77* is an instance of 
a parameterized problem, we refer to x as the input and to y as the parameter. 
We usually denote the length of the input string x by n and the length of the 
parameter string y by k. 

For example, for a class S of structures and a class L of first-order formulas, 

p-MC(S, L) := {(A, p) | A £ S, ip a sentence in L, and A \= p} 

is the parameterized model- checking problem for S and L; mostly, for easier read- 
ability, we present parameterized problems in the following form: 

p-MC(S,L) Input: A £ S. 

Parameter: ip, a sentence in L. 

Problem: A \= ip! 



Definition 1. A parameterized problem Q C S* x 77* is fixed-parameter trac- 
table, if there are a computable function f : N — > N, a polynomial p, and an 
algorithm that, given a pair (x,y) £ S* x 77* , decides if (x,y) £ Q in at most 
f(k) ■ p(n) steps. 

FPT denotes the complexity class consisting of all fixed-parameter tractable 
parameterized problems. 

Complementing the notion of fixed-parameter tractability, there is a theory 
of parameterized intractability. It is based on the following notion of reduction: 

Definition 2. An FPT-reduction from the parameterized problem Q C S* x 77* 
to the parameterized problem Q' C [S')* x (77')* is a mapping R : S* x 77* — ► 
(S')* x (77')* such that: 
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1. For all (x,y) £ E* x II*: (x,y) £ Q <£=>■ R{x,y) £ Q' . 

2. There exists a computable function g : N — > N such that for all (x, y) £ 

E* x 77*, say with R(x,y) = (. x',y we have k' < g(k) ( where k = \y\ and 

k' = w\). 

3. There exist a computable function f : N — > N and a polynomial p such that 

R is computable in time f(k) ■ p(n ). 

We write Q < FPT Q' if there is an FPT-reduction from Q to Q' and set 
[<5] FPT := {Q' | Q' < FPT Q}. For a class C of parameterized problems, we let 

[C] FPT :=U QeC [Q] FPT 

Denote by GRAPH the class of all finite graphs and by STR the class of 
all finite structures. The parameterized complexity classes W[l], W[2], ... of the 
W-lrierarchy are defined as the closure of a family of parameterized problems 
under FPT-reductions. For W [t], the defining family of problems consists of 
parameterized versions of the satisfiability problems for circuits of weft t (and 
varying depth). 

For the purposes of this paper, the most appropriate way to introduce the 
complexity classes of the W-hierarchy is the following (cf. [7], [8]): 

Definition 3. For t > 1, W[t] is the class of all parameterized problems that, 
for some u >1, are FPT -reducible to p-MC(GRAPH, E tu ), that is, 

W [t] = [{p-MC(GRAPH, S ttU ) | u > 1}] FPT . 

The following equivalent characterization of W[t] is well-known: 
Proposition 1. W[t] = [{p-MC(STR, i7 ()U [r]) | u > 1, r vocabulary}] FPT . 

At various places of this paper we tacitly make use of the following remark: 

Remark 1. Sometimes, in order to show that a given parameterized problem is 
in W[t], we will present a reduction to p-MC(STR, A tjU [r]) for some vocabulary 
t also containing a fixed finite number of constant symbols or even, we will 
consider a reduction where the number of constants depends on the parameter. 
This will allow to express properties in a more readable fashion. If we have a fixed 
finite number of constant symbols, they can be eliminated by using appropriate 
unary relations that are singletons; then, in the A t>M -formula to be defined, 
the constants are replaced by variables that are existentially quantified (in the 
first block) and get their right value using the corresponding relations. If the 
number of constants symbols depends on the parameter, e.g., we use constants 
for 0,1, ... ,k, in order to stay within a fixed vocabulary (independent of k) these 
constants can be eliminated by a singleton relation for 0 and the binary successor 
relation on {0, 1, . . . , k} and again by existentially quantified variables. 

Sometimes we refer to the complexity classes of the A-hierarchy (cf. [8]): 
Definition 4. For t > 1, A [t] = [p-MC(GRAPH, A()] FPT . 
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3 Machine Characterization 

In [4], machine characterizations of the classes W[l], A[f] for t > 1, and W[P] 
using nondeterministic and alternating random access machines (RAMs) were 
presented. The nondeterministic RAMs are based on the standard random access 
machines (cf. [10]). The model was non-standard when it came to nondetermin- 
ism. Instead of allowing the machines to nondeterministically choose one bit, or 
an instruction of the program to be executed next, the authors allowed them to 
nondeterministically choose a natural number, more precisely, there was an ad- 
ditional instruction “GUESS i j” whose semantics was: Guess a natural number 
less than or equal to the number stored in register i and store it in register j . In 
[4] it was remarked: “While this form of nondeterminism may seem unnatural 
at first sight, we would like to argue that it is very natural in many typical 
‘applications’ of nondeterminism. For example, a nondeterministic algorithm for 
finding a clique in a graph guesses a sequence of vertices of the graph and then 
verifies that these vertices indeed form a clique. Such an algorithm is much easier 
described on a machine that can guess the numbers representing the vertices of 
a graph at once, rather than guessing their bits.” 

The alternating RAMs, in addition to the instructions of the form “GUESS 
i j” (denoted by “EXISTS i j” in the context of alternating machines) also had 
“FORALL i j ” instructions. The semantics was defined as usually for alternating 
machines. The computations of alternating machines suitable for A[t] have a 
parameter-bounded final part which contains all the EXISTS- and FORALL- 
instructions and have at most t— 1 alternations (see [4] for the precise statement). 
For W [t] it seems not to suffice (see Section 6) to bound the length of the blocks 
without alternation, but we have to restrict the access to the numbers guessed 
in the EXISTS- and FORALL-instructions: as just remarked in the algorithm 
for finding a clique, we view these numbers as labels of certain objects and the 
type of machine we are going to introduce only has access to the properties of 
these objects and not directly to the labels. 

We turn to the precise definition of the random access machines we are going 
to use and that we call W-RAMs. A W-RAM has the 

— the standard registers 0, 1, . . ., their contents are denoted by ro,ri, . . ., re- 
spectively. 

— the guess registers 0, 1, . . ., their contents are denoted by go, g\, . . ., respec- 
tively. 

All registers have initial value 0. Often we denote g ri , i.e., the contents of the 
guess register whose index is the content of the ith standard register, by g(ri). 

The W-RAM has all the standard instructions for the standard registers (cf. 
Section 2.6 of [10]; e.g., the arithmetic operations are addition, subtraction, and 
division by two (rounded off)). Moreover, it has four additional instructions: 



Instruction 


Semantics 


EXISTS t j 
FORALL t j 
JG= i j c 
JGO i j c 


guess a natural number < ro; store it in the r, th guess register 
guess a natural number < ro; store it in the r^th guess register 
if g(rt) = g{rj), then jump to the instruction with label c 
if r( g ( ri ) t g( r .)) = 0, then jump to the instruction with label c. 
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Here, (, ) : NxN- >■ N is any simple coding of ordered pairs of natural numbers 
by natural numbers such that (i, j) < (1 + max{i, j}) 2 and (0, 0} = 0. Of course, 
the semantics of the EXISTS- and FORALL-instructions are the same, but we 
view them as existential and universal instructions, respectively. All other in- 
structions are said to be deterministic. If the machine stops, it accepts its input, 
if ro = 0, otherwise it rejects it. 

The following lemma, whose proof is immediate, is crucial for the main the- 
orem of this section; it shows that the contents of the standard registers depend 
only on the sequence of executed instructions: 

Lemma 2. Assume that, for a given input, we have two (partial) computations 
on a W-RAM. If the same sequence of instructions is carried out in both com- 
putations, then the contents of the standard registers will be the same. 



Definition 5. A program P for a W-RAM is an AW-program, if there is a 
computable function f and a polynomial p such that for every input ( x , y) with 
|a;| = n and |y| = k the program P on every run 

1. performs at most f(k) - pin) steps; 

2. at most f(k) steps are existential or universal; 

3. at most the first f(k) • p(n ) standard registers are used; 

4- at every point of the computation the registers contain numbers < f(k)-p(n). 

The promised machine characterization of W[f] reads as follows: 

Theorem 1. Let Q be a parameterized problem and t > 1. Then Q is in W[t] 
if and only if there is a u > 1 and there are a computable function h and an 
AW-program P for a W-RAM such that P decides Q and such that for every run 
of P on an instance (x,y) of Q as input ( with \y\ = k ) 

— all existential and universal steps are among the last h(k) steps of the com- 
putation, 

— there are at most t — 1 alternations between existential and universal states, 
and the first guess step is existential, 

— every block without alternations, besides the first one, contains at most u 
guess steps. 

Proof. Assume first that Q € W[f], then Q < FPT p-MC(GRAPH, St.u) for some 
u > 1. Hence there are computable functions / and g , a polynomial p € N[x], 
and an algorithm A assigning to every ( x,y ), in time < f(k) ■ p(n), a graph 
Q = Q x y and a sentence ip = <p x>y € £ t , u , say, 

ip = 3*h • • ■ 3*ifc 1 V*2i • ■ ■ V* 2 k 2 ■ ■ ■ Qxn ■ ■ ■ QxtkA, 

with & 2 , . . . ,kt < it, with \<p\ < g(k), and with a quantifier-free ip, such that 



Qxy 



Q\=p. 
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The claimed AW-program P for a W-RAM, on input (x, y), proceeds as follows: 

1. It computes the graph Q = (G, E G ), say with G = {1, . . . , m}, and stores its 
adjacency matrix in the standard registers: Tuj) = 0 E^ij. 

2. It computes ip. 

3. It checks whether Q \= ip. 

To carry out point 3, the program P, using the EXISTS- and FORALL- 
instructions guesses the values of the quantified variables. Then, it checks the 
quantifier-free part using the JG=- and JGO-instructions. The number of steps 
needed for point 3 can be bounded by h(k) for some computable h. Hence, all 
existential and universal steps are among the last h(k) steps of the computation. 

Now assume that P = (7Ti, . . . ,n m ) is an AW-program deciding Q and that 
u > 1, h, and P have the properties stated at the right side of the equivalence 
claimed in the theorem. For the program P choose the function / and the poly- 
nomial p according to Definition 5. We claim that Q £ W[f]. By Proposition 
1, it suffices to show that Q < FPT p-MC(STR, A tj2 . u [r]) for some r. The set of 
instruction numbers of P is {1, . . . , m}, more precisely, 7iy is the instruction of P 
with instruction number i. We denote instruction numbers (= potential contents 
of the program counter) by c, c\ , . . . and finite sequences of instruction numbers 
by c. £(c) denotes the last instruction number of the sequence c, and [c) the 
sequence obtained from c by omitting its last member. Fix an instance ( x , y) of 
Q. Let 



C := (J {1, . . . , m} r and N := {0, 1, ...,/(&;) • p(n)}. 

0<r<h(k) — l 

with k = |j/|. We look for a structure A and a X^.-u-sentence ip such that 

P accepts (x, y) A |= ip. 

Let Co be the sequence of instruction numbers of the deterministic part of P on 
input ( x , y) ending with the instruction number of the first existential instruc- 
tion. As universe A of A we take A := C U N. Moreover, in A there are the 
binary relation < v4 , the natural ordering on N, and ternary relations R ^ and 
T- 4 defined by 

R A cij c £ C, i,j£ AT, and if P, on input (x, y), carries out 
the sequence of instructions [co c), then r, ; = j. 

T A cij •£=> c £ C, i, j, ( i,j ) £ N, and if P, on input (x, y), carries out 
the sequence of instructions [cqc), then r/jjj = 0. 



Moreover, we have a constant for 0. This finishes the definition of A, which can 
be constructed within the time allowed by an FPT-reduction. 

We turn to the definition of ip. First, we fix c £ C: Let i = i(c) be the number 
of blocks without alternations of the sequence of instructions determined by [cqc); 
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let j = j(c) be the number of guesses in the ith block. If i < t and if each block, 
besides the first one, has length < u, we introduce a formula 

where X\ := Xi t i , . . . , Xi^(k) and x s := x S) \ . . . x s u for s = 2, . .,,i — 1 with the 
intuitive meaning 

if a partial run of P has Cq c as sequence of instructions numbers and if 
every variable x-,j displayed in (1) has, as value, the j'tlr guess of the 
i'th block (and ayyy = 0, if there was no such guess), then there is an 
accepting continuation of this run. 

Then, for the empty sequence 0 of instruction numbers and p •.= tp$, we have 

P accepts (x, y) •<=>■ A |= ip. 

For ceCof maximal length, |c| = h(k) — 1, we set (recall that, by definition, a 
computation accepts its input, if ?’o = 0 at the end of the computation) 

( TRUE, if 7iy( S ) = STOP (i.e., n^) is the STOP-instruction) and Re 0 0 

' ( FALSE, otherwise. 

If c € C and |c| < h(k) — 1, we assume that (p? has already been defined for all 
c' with |c| < |c / |. The definition depends on the type of the instruction of P with 
instruction number 1(c). 

If 7T^( g ) = STOP, then again 



_ f TRUE, if i?c 0 0 
‘ ( FALSE, otherwise. 

The definition of pc is simple for the standard instructions, e.g., if 7 t^ 5 ) = 
STORE f u (i.e., “7r^ S ) = := r 0 ”), then p 5 '■= <Pc£(c)+i- 

We give the definitions for the new instructions: If 7Tq g ) = EXISTS f v, then 
(for i = i(c) and j = j(c)) 



Pc~ 



3xij+i3y(Rc0y A Xij+ 1 <y A Pct(c)+i)i if 1 = 1 or (i is odd and j < u) 
3x i+lt i3y(Rc0y A x i+ ip < y A p 5 i( c)+i 

A Xi t j + 1 = 0 A ... A Xi^ u = 0), if i is even, i < t, and j < u 



[FALSE, 



otherwise. 



The definition is similar for instructions of the type FORALL f v, but then the 
variables are quantified universally. 

Assume tt^ 5 ) — JG= v w c. We need g(r v ) and g(r w ). Determine the actual 
contents Vo and Wq of the t’th and the ruth standard register, i.e., Vo and Wq 
with R a cvv o and R A cww o- Consider the sequence of instructions given by c and 
determine the last instructions in it of the form FORALL f z or EXISTS f -2 such 
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that at that time r z = vo, say, it is the joth guess in the iotli block. Similarly, let 
the jith guess in the Atli block be the last instruction of the form FORALL f z 
or EXISTS f z such that at that time r z = Wq (the case that such instructions 
do no exist is treated in the obvious way). Then set 

Pc ;= ( x io,jo = x h,ji —■ * “Pec) A (~ ' 'Xi 0 ,jo — x ii,ji ~ ^ Pcl(c)+ 1)- 

Assume it = JGO u v c. As in the preceding case, let Xi 0 j 0 and Xi 1 j 1 denote 
the actual values of the r u th and the r v th guess register, respectively. Then set 

Pc := (T’cXi 0 ,j 0 x ii,ji Pec) A (~'TcXi 0 j 0 Xi lt j 1 — > Pc((c)+l) ■ 

As already mentioned above, we set tp := By Lemma 1, one easily verifies 
that (p is equivalent to a (-formula. Clearly, the size of ip can be bounded 
in terms of h(k) and 

Qxy <==> P accepts (x, y) 

A\=ip, 

which gives the desired reduction showing that Q £ W[t]. □ 

4 W[2] and Multitape Machines 

Among the many known W[l]-complete problems, of course, the most generic 
one is the halting problem p-HPN for nondeterministic Turing machines (cf. [1]): 

P-HPN Input: A nondeterministic Turing machine M. 

Parameter: k £ N. 

Problem: Does M accept the empty word in at most k steps? 

Surprisingly, the same problem for nondeterministic Turing machines with sev- 
eral tapes is W[2]-complete (cf. [3] and [2]). Mike Fellows pointed out this result 
to the second author and encouraged him to look for a machine characterization 
of W[2]. In this section we present a simple proof that the halting problem for 
multitape machines is in W[2]; it avoids the equality W[2] = W*[2] (cf. [5]), used 
in [2] and for which no simple proof is known. 

Proposition 2 . For some vocabulary r, p-HPNMT < FPT p-MC(STR, AP2.3 [w] ) . 

Here p-HPNMT denotes the halting problem for nondeterministic multitape 
Turing machines: 

P-HPNMT Input: A nondeterministic Turing machine M with an 
arbitrary finite number of tapes. 

Parameter: k € N. 

Problem: Does M accept the empty word in at most k steps? 
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Proof. Let M be a nondeterministic Turing machine with wq (work) tapes. We 
aim at a structure A = Am.h and a Wj. 3-sentence ip = <pM,k such that 

(M, k) G p-HPNMT A (= p. 

Let £ and Q be the alphabet and the set of states of M, respectively. The 
instructions of M have the form 

q{ai , . . . , Ojwq ) ^ Q , ■ • ■ , 0 . Wq ) (hi , . . . , h w 0 ) 

where q, q' G Q, a 1 , . . . , a Wo ,a [ , . . . , a( A , o G if U {*} (* is the blank symbol) and 
hi , ... , /i Wo G {—1, 0, 1}. Let T be the set of tuples (61 , . . . , b Wo ) G (if U I*})™ 0 
and H the set of tuples (hi , . . . , h Wo ) G {—1, 0, l}™ 0 occurring in instructions. 
The structure A has the universe 

A := Q U (if U {*}) U {—1, 0,1,..., max{u>o, k}} LIT U H. 

We need the natural ordering relation < A on {— 1, 0, 1, . . . , max{u>o, A:}}, the 
5-ary relation D A (the “transition relation”) and the ternary relation P A (the 
“projection relation”) defined by 

D A qtq't'h •<==>■ qt q't’h is an instruction of M 

P A wba 1 < w < wq, b G T U H, b = (61 , ... , b Wo ), and b w = a. 

Moreover, we have constant symbols for the initial state qo, the accepting state 
9aco for *, and for —1, w 0 , 0, 1, . . . , k (cf. Remark 1). 

The formula <p we aim at, will express that there is an accepting run of 
length < k (w.l.o.g. of length = k): among others, it will contain the variables 
q.i, ti, q(, t\, hi for i = 1 , ... , k, in fact, qt ti q[ t( hi represents the it li instruction 
applied in the run; ip is obtained by existentially quantifying all variables in 

k k— 1 

(^init^i) ^1) A yy Dqi ti (li t hi A yy Qi — Qi -\- 1 A qk — Q&cc A VO 5 
2=1 2=1 

where v 3 init(<?i, ti) := (<Zi = qo A Vw(l < w < wo — > Pwt 1*)) and where ^ is a 
universal formula expressing that the sequence of instructions can be applied: 
For this purpose, for i = 1, . . . , k, we introduce quantifier- free formulas 

ipf(w,p,x,Vi) and <pf(w,p,Vi) 

with Vi := qi , ti , q [ , t \ , hi , . . . , qi-i, t*-i, t'i-i, hi - 1 and with the meaning 

if, starting with the empty tape, the sequence of instructions v, has been 
carried out, then the pth cell of the icth tape contains the letter x, 



and 



if, starting with the empty tape, the sequence of instructions Vi has been 
carried out, then the head of the wth tape scans the ptli cell, 
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respectively. Then, as ip, we can take 
k 

$ := VwVpVx (ji<Pi(w,p,x,Vi) A <pf(w,p,Vi)) -> 
i=l 

The simultaneous definition of and <pf by induction on i is routine, e.g., 
ipi(w,p, x) := (1 < w < Wq A 1 < p < k A x =*) ■, 

( Pi+i{w,p,x,v i+1 ) := (1 < w < w 0 A 1 < p < k) A 

((-«Pi(w,P,Vi) A ipf(w,p,x,Vi)) V ( <pf(w,p,Vi ) A Pwt'i x)). 
One easily verifies that p is (logically equivalent to) a £ 2 , 3 -sentence. □ 

Corollary 1. The halting problem p-HPNMT for multitape machines is W[2]- 
complete. 

Proof. By Proposition 1 and the preceding proposition, p-HPNMT is in W[2]. 
To show that p-HPNMT is W[2]-lrard we recall the proof of [3] that the pa- 
rameterized dominating set problem p-DS can be reduced to p-HPNMT. The 
essential problem is to obtain a corresponding machine in the time allowed by 
an FPT-reduction. 

Suppose (ty , k) is an instance of p-DS with G = {ai, . . . , a n }. Let the multi- 
tape machine M have n+ 1 tapes, numbered by 0 to n, and let £ := GU{yes} be 
its alphabet. In the first step all heads move one cell to the right. In the next 2- k 
steps, only the Otlr head is active: it (nondeterministically) writes k elements of 
G on its tape, say 61 , . . . , bk (the elements of the intended dominating set), and 
goes back to the cell containing b\ . In the next k steps the Oth head again reads 
these elements; at the same time, in the jtlr step, the itli head checks whether 
a i = bj or Eaibj', in the affirmative case the ith head prints “yes” and moves to 
the right, in the negative case it neither prints nor moves; finally, the machine 
moves all heads one cell to the left and accepts, if the heads on the tapes number 
1 to n read “yes” . Clearly, 

( G , k) e p-DS -«=> (M, 3 • (jfe + 1 )) e p-HPNMT. □ 

5 Complete Halting Problems for the W-Hierarchy 

As already mentioned at the beginning of Section 4, the halting problem for 
nondeterministic Turing machines, parameterized by the number of steps, is a 
quite generic W[l]-complete problem. The corresponding halting problems for 
alternating machines yield complete problems for the classes of the A-lrierarclry. 
Indeed, for t > 1, we have A[t] = [p-HPA t ] FPT (cf. [ 8 ]), where 

p-HPA t Input: An alternating Turing machine M whose 
initial state is existential. 

Parameter: k € N. 

Problem: Does M accept the empty word in at most k steps 
with at most t — 1 alternations? 
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One would expect that in order to obtain complete problems for the classes of the 
W-hierarchy one has to bound the number of steps of all non-alternating blocks 
but the first one. More precisely, for tpu > 1, consider the following problem: 

p-HPA t u Input: An alternating Turing machine M whose 
initial state is existential. 

Parameter: k £ N. 

Problem: Does M accept the empty word in at most k steps 
with at most t — 1 alternations, where every block 
of steps without alternation, besides the first one, 
has length < u! 

Essentially along the lines of the proof of p-HPA t £ A[t] in [8], one can show 
that p-HPA( >u £ W[f]. But the corresponding hardness proof does not seem 
to go through. Recall that in order to establish that p-MC(GRAPH, A t ) < FPT 
p-HPA t , given a graph and a A t -sentence tp , one constructs an alternating Tur- 
ing machine that first associates values to the quantifiers in ip (the values for 
existentially quantified variables are chosen in existential states, the values for 
universally quantified variables in universal states) and that then checks whether 
the selected variables satisfy the quantifier-free part of ip, the quantifier-free 
check. Of course, a A ijU -prefix would yield an alternation sequence according to 
p-HPA t tU , but the number of steps needed for the quantifier-free check cannot be 
bounded in terms of t and u as required in p-HPA t it depends on ip. Therefore, 
we add suitable oracles to the Turing machines that carry out the quantifier-free 
check in a single step. Of course, we have to add them in such a way that the 
corresponding halting problem still is in W[f]. 

As in an alternating machine, the set Q of states of an alternating Turing 
machine M with oracle is the disjoint union of the set of universal states Q u 
and the set of existential states Q e . The “oracle states” q?, q y , and q n are all 
contained in Q u or all in Q e . Let A be the vocabulary of M and let O C A* be a 
language, the “oracle language”. M°, the machine M with oracle O, in state g? 
will check if the word to the left of the cell scanned by its head is in O and will 
change to the “yes state” q v or to the “no state” q n (without printing a letter 
nor moving its head) . 

For a graph G = (G, E G ) and a first-order formula ip(x i, . . . , x p ), let 0(G , if) 
be the following set of words over G, O(0,ip) C G*: 

0(G, , 0) . {Ai • • • a p | G [= 0(cti, . . . , ttp){. 

Due to space limitations we omit the proof of the following theorem: 

Theorem 2. For t >1, 

W [t] = [{p-HPAO^ | u > 1}] FPT , 

where p-HPAOt tU is the parameterized halting problem for alternating Turing 
machines with oracle: 
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p-HPAO t u Input: An alternating Turing machine M with oracle 
whose initial state is existential and a graph 
Q = (G, E s ) such that G is a subset of the alphabet 
of M. 

Parameter: k € N and a quantifier-free formula ip{x i, . . . ,x p ). 

Problem: Does M°'SA) acce pt the empty word in at most 

k steps with at most t — 1 alternations, where every 
block of steps without alternation, besides 
the first one, has length < u! 



6 Conclusions 

Most standard complexity classes like LOGSPACE, NLOGSPACE, PTIME, 
NPTIME, the classes of the polynomial hierarchy, or PSPACE have definitions 
in terms of machines. By contrast, originally nearly all parameterized complexity 
classes containing intractable problems were defined via complete problems. In 
[4], machine characterizations of W[l], W[P], and of A[f] for t > 1 were presented; 
in this paper we derive such characterizations for W[f] for t > 2. 

As mentioned at the beginning of Section 3, in [4] AW-programs for alter- 
nating RAMs were introduced, which have “unrestricted access” to the guessed 
numbers. For t > 1, denote by L[t] the class that satisfies Theorem 1 if we replace 
W-RAM by alternating RAM, i.e., L[f] is the class of parameterized problems 
Q such that there is a computable function h and an AW-program P for an 
alternating RAM deciding Q such that for every run of P on an instance ( x , y) 
of Q as input (with k = |y|) 

— all existential and universal steps are among the last h(k) steps of the com- 
putation, 

— there are at most t— 1 alternations between existential and universal states, 
and the first guess step is existential, 

— every block without alternations, besides the first one, contains at most u 
guess steps. 

Clearly, by [4] and Theorem 1, we have 

W [t] C L [t\ C A [t\. 

We do not know, if W[f] = L[f] or if L[t] = A[t]. Let an f -vocabulary be a finite set 
of relation symbols, function symbols, and constant symbols. By an appropriate 
refinement of the proof of Theorem 1 one can show: 

Theorem 3. For t > 1, 

L[t] = [{p-MC(STR, A/„[t]) | u > 1, r f -vocabulary}] FPT . 

For every /-vocabulary r, the classical problem MC(STR, A t>u [r]) is in NP. 
Therefore, FPT C W[t] C L[t] C para-NP (compare [9] for the definition of 
para-NP). As FPT ^ para-NP is equivalent to P / NP (cf. [9]), we obtain from 
the preceding theorem: 
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Corollary 2. IfW[t] ^ L[i] for some t > 1, then P ^ NP. 
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Abstract. We propose a protocol model which integrates two differ- 
ent ways of analyzing cryptographic protocols: i) analysis w.r.t. an un- 
bounded number of sessions and bounded message size, and ii) analy- 
sis w.r.t. an a priori bounded number of sessions but with messages of 
unbounded size. We show that in this model secrecy is DEXPTIME- 
complete. This result is obtained by extending the Dolev-Yao intruder 
to simulate unbounded number of sessions. 



1 Introduction 

Formal analysis has been very successful in finding flaws in published crypto- 
graphic protocols [7]. Even fully automatic analysis of such protocols is possible, 
based on models for which security is decidable or based on approximations 
(see, e.g., [13,19,18,1,16], and [17,9] for an overview of the different approaches, 
decidability, and complexity theoretic results). 

The decidability of security, or more precisely secrecy, of protocols heavily 
depends on whether in the analysis an unbounded number of sessions of a proto- 
col is taken into account or only an a priori bounded number. In the former case, 
secrecy is in general undecidable [1,13,14], with only a few exceptions [13,11,2,8]. 
One such exception, which is of particular interest in this paper, is that secrecy is 
DEXPTIME-complete when the message size is bounded and nonces, i.e., newly 
generated constants, are disallowed [13]. In what follows, let us call this setting 
the bounded message model. In the latter case, in which the number of sessions is 
bounded, secrecy is known to be NP-complete [19], even when there is no bound 
on the size of messages, complex keys are allowed, i.e., keys that may be complex 
messages, and messages can be paired to form larger messages. We will refer to 
this setting as the unbounded message model. 

* This work was partially supoorted by PROCOPE and 1ST AVISPA. The second 
author was also supported by the DFG. 
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In this paper, we integrate the two models — the bounded and the un- 
bounded message model, and thus, integrate two different approaches for proto- 
col analysis: i) analysis w.r.t. an unbounded number of sessions, which has the 
advantage that the exact sessions to be analyzed do not need to be provided 
beforehand, but where a bound on the size of messages is put, and ii) analysis 
which is rather detailed since the size of messages is not bounded, but where 
only explicitly given sessions are analyzed. More precisely, we consider a pro- 
tocol model in which there are two kinds of principals, bounded message and 
unbounded message principals, or bounded and unbounded principals for short, 
which only accept messages of bounded size from the environment or messages 
of unbounded size, respectively. Conversely, in a protocol run, bounded prin- 
cipals may be involved in an unbounded number of sessions while unbounded 
principals run in at most one session. The communication between the princi- 
pals is controlled by the standard Dolev-Yao intruder, in particular, the size of 
the messages the intruder may produce is not bounded. Just as in the bounded 
and unbounded message model, the principals and the intruder are not allowed 
to generate nonces. Our model, in what follows referred to as integrated model, 
comprises both the bounded and the unbounded message model: If in the inte- 
grated model the set of bounded principals is empty, then the model coincides 
with the unbounded message model, and if the set of unbounded principals is 
empty, then this gives the bounded message model. 

The main result shown in this paper is that secrecy in the integrated model 
is DEXPTIME-complete. The main difficulty is to establish the complexity up- 
per bound. The key idea is as follows: To deal with the bounded principals in 
the integrated model, and thus, the unbounded number of sessions, the bounded 
principals are turned into intruder rules, and thus, they extend the ability of 
the intruder to derive new messages. These intruder rules can be applied by the 
intruder an arbitrary number of times and in this way simulate the unbounded 
number of sessions. More precisely, we will extend the standard Dolev-Yao in- 
truder by oracle rules, i.e., intruder rules that satisfy certain properties, and 
show that insecurity w.r.t. a set of unbounded principals and the extended in- 
truder is in NP (given an oracle for applying the oracle rules). — This result 
is obtained in a similar way as the one in [5], although the kind of oracle rules 
considered in [5] is quite different from the rules studied here. — We then turn 
the bounded principals into oracle rules, show that these rules in fact simulate 
the bounded principals, and prove that the rules can be applied in exponential 
time. These steps are non-trivial. From this, we conclude the desired complexity 
upper bound, i.e., obtain a deterministic exponential time algorithm for deciding 
secrecy in the integrated model. 

As we will see in Section 3, the integrated model is not more powerful than 
the unbounded message model in the sense that from every protocol in the in- 
tegrated model one can construct a protocol in the unbounded message model 
such that one protocol preserves secrecy only if the other one does. Moreover, 
feeding this constructed protocol into an algorithm for analyzing protocols in 
the unbounded message model, yields an alternative way of deciding secrecy in 
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the integrated model. However, since the number of (unbounded) principals in 
the constructed protocol grows exponentially, using the NP-completeness result 
shown in [19], this reduction only provides an NEXPTIME decision algorithm. 
(Note that, together with the main result of this paper and the result shown in 
[19], the existence of a polynomial time reduction from the integrated model to 
the unbounded message model would imply NP=EXPTIME.) More importantly, 
the constructed protocol is too big for current analysis tools in the unbounded 
messages model, e.g., [3,18], since they can only handle a small number of prin- 
cipals. Conversely, in our decision algorithm, we not only reduce secrecy in the 
integrated model to secrecy in the unbounded message model but in addition ex- 
tend the Dolev-Yao intruder to simulate the bounded principals. In this way, we 
avoid creating new (unbounded) principals. In addition to the improved com- 
plexity theoretic result, this approach seems to be much better amenable to 
practical implementations. In fact, in [6] an implementation is presented for an 
intruder with capabilities similar to those needed here. 

Structure of the paper. In the following section, the protocol and intruder model 
is presented. Then we state the main result (Section 3). In Section 4, the intruder 
extended by oracle rules is introduced and it is shown that insecurity is in NP 
given an oracle for applying oracle rules. We then, Section 5, turn bounded 
principals into oracle rules, and by applying the result from Section 4 establish 
the complexity upper bound. We conclude in Section 6. 

We refer the reader to our technical report [4] for full proofs and a formal 
description of the Three-Pass Mutual Authentication ISO Protocol in our model. 

2 Problem Definition 

We now provide a formal definition of our protocol and intruder model. We first 
define terms and messages, then protocols, and finally the intruder and attacks. 



2.1 Terms and Messages 

Terms are defined according to the following grammar: 

term ::= A \ V \ (term, term) | {term}l erm | { term 

where A is a finite set of constants ( atomic messages), containing principal 
names, nonces, keys, and the atomic messages secret and I (the intruder’s name); 
JC is a subset of A denoting the set of public and private keys; and V is a finite set 
of variables. We assume that there is a bijection - _1 on /C which maps every public 
(private) key k to its corresponding private (public) key fc -1 . The binary symbol 
(•, •) is called pairing, the binary symbol {-} s is called symmetric encryption, the 
binary symbol {-} p is public key encryption. Note that a symmetric key can be 
any term and that for public key encryption only atomic keys (namely, public 
and private keys from /C) can be used. 




Extending the Dolev-Yao Intruder 



131 



Variables are denoted by x, y , terms are denoted by s, t, u, v, and finite sets of 
terms are written E,F , ..., and decorations thereof, respectively. We abbreviate 
E U F by 77, F, the union E U {t} by E, t, and E \ {f} by E\t. The cardinality 
of a set S is denoted by card (5). 

For a term t and a set of terms E, Var(t ) and Var(E) denote the set of 
variables occurring in t and 77, respectively. 

A ground term (also called message ) is a term without variables. A (ground) 
substitution is a mapping from V to the set of (ground) terms. The application 
of a substitution a to a term t (a set of terms E) is written ta ( Ea ), and is 
defined as usual. 

The set of subterms of a term t, denoted by Sub(t ), is defined as follows: 

— If t £ A U V, then Sub(t ) = {f}. 

— If t = (u,v), {w}0, or then Sub(t) = {f} U Sub(u ) U Sub(v). 

Let Sub(E) = |J te E Sub(t). We define the size of a term and a set of terms 
basically as the size of the representation as a dag. That is, the size |t| (|77|) of 
a term t (a set of terms E) is card (Sub(t)) (card (Sub(E))). 



2.2 Protocols 

We now define principals and protocols. 

Definition 1. A principal 17 is a finite linear ordering of rules of the form 
R — > S where R and S are terms. We assume that every variable in S occurs 
in R or on the left-hand side of a rule preceding R —> S. The rules are called 
principal rules. 

A protocol P is a tuple (fF u ,Tb,Ei,T)) where T u and Tb are finite unions of 
principals, and thus, partially ordered sets, 77/ is a finite set of messages with 
I € 77/, and V is some representation of a finite set of messages such that the 
dag size of messages in the set represented by V is lineary bounded in the size 
of the representation ofD. 

Given a protocol P, in the following we will assume that A is the set of constants 
occurring in P. We define the size |P| of P as the number of different subterms in 
T u , Tb, and 77/ plus the size of the representation of T>. For instance, V may be 
a non-negative integer n (encoded in unary) representing the set of all messages 
of dag size < n. This implies that the dag size of the set of messages represented 
by V is exponentially bounded in the size |P| of the protocol. We define Var(P) 
to be the set of variables occurring in P. 

The idea behind the definition of a protocol is as follows. In an attack on P 
the intruder may use every principal in T u at most once but the principals in 
Tb maybe used as often as the intruder wishes. In other words, the principals in 
Tb may be involved in an unbounded number of sessions in one attack while the 
principals in T u only participate in at most one session. It is well-known that 
deciding the security of a protocol w.r.t. an intruder who may use an unbounded 
number of sessions and may produce messages of unbounded size is undecidable 
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[13,2]. For this reason, we will restrict the messages that can be substituted for 
variables of rules in J-y, to belong to the finite domain T>. However, we put no 
restrictions on the variables of rules in T u , i.e. , these variables can be substi- 
tuted by messages of unbounded size. We therefore refer to principals in J~ u as 
unbounded and to those in Ty, as bounded. A rule of an unbounded principal is 
called unbounded and analogously a rule of a bounded principal is bounded. In 
the following section, attacks are defined formally and the relationship to other 
models is further discussed. As mentioned, our technical report [4] contains a 
formal description of a protocol in our protocol model. 



2.3 The Intruder and Attacks 

Our intruder model follows the Dolev-Yao intruder [12]. That is, the intruder has 
complete control over the network and he can derive new messages from his initial 
knowledge and the messages received from honest principals during protocol 
runs. To derive a new message, the intruder can compose and decompose, encrypt 
and decrypt messages, in case he knows the key. What distinguishes our model 
from most other models in which security is decidable is that the intruder may 
use the (bounded) principals as often as he wishes to perform his attack. As 
mentioned in the introduction, to deal with this, in Section 4 we will extend the 
intruder by so-called oracle rules. 

The intruder derives new messages from a given (finite) set of messages by 
applying rewrite rules. A rewrite rule (or t-rule ) L is of the form M — > t where M 
is a finite set of messages and t is a message. Given a finite set E of messages, the 
rule L can be applied to E if M C E. We define the step relation —>l induced by 
L as a binary relation on finite sets of messages. For every finite set of messages 
E: E — E, t (recall that E, t stands for E U {t}) if L is a t-rule and L can be 
applied to E. If £ denotes a (finite or infinite) set of intruder rules, then — >c 
denotes the union Uls£ °f the s ^ e P relations — >l with L £ C. With — we 
denote the reflexive and transitive closure of — >£. 

The set of rewrite rules the intruder can use is listed in Table 1. These 
rules are called (Dolev-Yao) intruder rules. In the table, a,b denote (arbitrary) 
messages, K is an element of /C, and E is a finite set of messages. 

The intruder rules are denoted as shown in Table 1. We consider L p i((a, b)), 
. . . , L S£ ;({a}g) and L c ((a , &)),..., L c ({a}l) as singletons. Note that the number 
of decomposition and composition rules is always infinite since there are infinitely 
many messages a, b. 

We further group the intruder rules as follows. In the following, t ranges over 
all messages. 

— L d (t) := L p i(t) U L p2 (t) U L ad (t) U L sd (t). In case, for instance, L pl (f) is not 
defined, i.e., the head symbol of t is not a pair, then L p i{t) = 0; analogously 
for the other rule sets, 

— Ld '■= Ut L d {t ) , L c := |J 4 L c (t), 

— Cdy := L d \J L c (where DY stands for “Dolev and Yao”). 
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Table 1 . Intruder Rules 





Decomposition rules 


Composition rules 


Pair 


L P i({a, b)) 
L p2 {(a,b)) 


(a, b) — > a 
{a, b) — » b 


L c ((a, b)): a,b-¥ ( a,b ) 


Asymmetric 


L ad {{aY K ) 


{ a lrc , A — > a 


L c ({ a r K y. a,K ^ {aV K 


Symmetric 


Tsddajt) 


(a}j, b — > a 


Lc({a}i)- a,b — > (a}t 



The set of messages the intruder can derive from a (finite) set E of messages is: 
d DY {E) := \J{E'\E^* Cdy E'}. 

Before we can dehne attacks on a protocol P = (P u , Tb, Ej ,V), we need some 
new notions. 

Given a partially ordered set T of principal rules with associated ordering 
<, an execution ordering n for T is a bijective mapping from some subset T' 
of T into { 1 , . . . , card(t7 r/ )} such that L < li implies n(L) < n(L') for every 
L , L' £ T' . The size of 7r is card(jF'). 

The partially ordered set of instantiations of the bounded principals in P is 
.TyP := {Ida 1 \ II £ Tb and a' : Var(II) T>}. The partially ordered set induced 
by P is T P := T u U jpf . 

We are now prepared to dehne attacks. In an attack, a principal 77 performs 
his sequence (linear ordering) of principal rules R\ — > Si, . . . , R n —> S n one after 
the other. Note that the different rules may share variables which are subsituted 
by the same message and in this way model the (unbounded) memory of a 
principal. When in step i a message m is received, then m is matched against 
Ri yielding a matcher a (if any) with Ri<j = m and 77 returns S'* a as output. 
Variables in 7?,; and S, which occurred in a previous step, and thus, have been 
assigned a message already, are substituted by this message. As mentioned in 
Section 2.2, the intruder may use an unbounded principal, i.e., a principal in 
T u , at most once, and he may use every bounded principal, i.e., a principal in 
Pbi as often has he wishes (any time with a possibly different matching). The 
difference between unbounded and bounded principals is as follows: While an 
unbounded principal accepts every message as long as it matches the current 
input pattern Ri, a bounded principal expects that the variables are filled with 
elements of the domain represented by T>. Thus, is the set of instances 
of bounded principals the intruder may use to perform an attack. Note that 
subsequent use of an instance after the first time does not yield new knowledge. 
Therefore, we assume w.l.o.g. that bounded principal instances in are used 
only once. Note, however, that contains different (an exponential number 
of) instances of one bounded principal. Altogether, the intruder may use every 
principal in Tp once. For a subset of these principals he (nondeterministically) 
chooses some execution ordering and then tries to produce input messages for 
the principal rules. These input messages are derived from the intruder’s initial 
knowledge and the output messages produced by executing the principal rules. 
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The aim of the intruder is to derive the message secret. Formally, attacks are 
defined as follows. 

Definition 2. Let P = (T u , Tb, EpV) be a protocol and let Tp be the partially 
ordered set induced by P. An £m--attack (or simply attack,) on P is a tuple 
(ir, a) where ir is an execution ordering on Tp, of size k, and a is a ground 
substitution of the variables occurring in P such that 

Ri<J € dpy{‘ So, 'S'l' 7 ; Si-i<j) 

for every i £ {1, . . . , k} where Rt Si = 7r^ 1 (i), and 



secret £ doY(So, Sia , ..., S^cr). 

The decision problem we are interested in is the following set of protocols where 
we assume the terms occurring in a protocol to be given as dags. 

Insecure := {P | there exists an Cdy- attack on P}. 

If we restrict the set Tb of bounded principals to be the empty set (and in 
this case we do not need V), then this is the case of protocol analysis w.r.t. a 
bounded number of sessions and unbounded message size as considered, for in- 
stance, in [15,19,18], and called unbounded message model in the introduction. 
On the other hand, if we restrict T u to be an empty set, then this is basically 
the case of protocol analysis w.r.t. an unbounded number of sessions but with 
bounded message size as studied in [13], and called bounded message model in 
the introduction. We note, however, that in contrast to [13], here we allow the 
intruder to derive messages of arbitrary size, only the size of messages accepted 
by the (bounded) principals is bounded. Also, we allow complex rather than only 
atomic keys. 

Summing up, with the protocol and the intruder model considered here, we 
integrate the bounded and the unbounded message models. 

3 Main Result 

The main result of this paper is: 

Theorem 1. The problem Insecure is DEXPTIME-complete. 

In [13], it has been shown that deciding secrecy in the bounded model, i.e. , an 
unbounded number of sessions but bounded messages, is DEXPTIME-complete. 
Since here we extend this setting, it is not surprising that for Insecure we also 
obtain DEXPTIME-lrardness. In fact, one can use the same reduction, namely 
a reduction from the recognition problem for Datalog programs [10], as in [13]. 

In [19], it has been shown that deciding Insecure for protocols P with- 
out bounded principals (i.e., T, = 0) is NP-complete. We can use this re- 
sult to also obtain an upper bound for INSECURE in the general case: Let 
P = (T u ,Tb,Ei,T>). Observe that P £ Insecure iff P' = (T u U T^ , 0, Ej, 0) £ 
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Insecure. The protocol P' can be handled with the algorithm proposed in [19]. 
However, since P' may be of size exponential in the size of P this only shows that 
Insecure is in NEXPTIME. Thus, the main problem in proving Theorem 1 is 
to establish the tight upper bound. 

The main idea of this proof is as follows: We first extend capabilities of the 
Dolev-Yao intruder by so-called oracle rules, i.e., intruder rules which satisfy cer- 
tain conditions. For this extended intruder we show that insecurity for protocols 
without bounded principals is in NP given an oracle for performing oracle rules 
(Theorem 2). We then turn the set of instantiated bounded principals into 
intruder rules and show that these rules are in fact oracle rules. This will yield 
the claimed exponential time upper bound (Section 5). 

In the following section oracle rules are introduced and the NP-decision al- 
gorithm is presented. 

4 A General Framework 

We now extend the Dolev-Yao intruder by oracle rules, which are intruder rules 
satisfying certain conditions, and show that insecurity in presence of such an 
extended intruder for protocols without bounded principals is in NP given a 
procedure for applying oracle rules. We first introduce oracle rules and then 
present the NP algorithm. 

4.1 Extending the Dolev-Yao Intruder by Oracle Rules 

In the rest of this paper, let L a denote a (finite or infinite) set of rewrite rules 
of the form M — > t where M is a finite set of messages and t is a message. In 
Definition 4, we will impose restrictions on this set and then call it the set of 
oracle rules. The subset of L 0 consisting of f-rules is denoted by L 0 (t). The union 
of the Dolev-Yao intruder rules and the oracle rules is denoted by Cdyo '•= 
Cdy U L 0 and called oracle intruder rules. Define C c := L c U L a to be the 
set of composition rules, C c (t) := L c (t ) U L a (t), and Cd(t) to be the set of all 
decomposition f-rules in Table 1. 

The set dDYo{E) of messages the intruder can derive from E using the 
rules Cdyo is defined analogously to doY(E). Also, Cdyo - attacks are defined 
analogously to ££>v-attacks. 

Given finite sets of messages E,E', an (Cdyo-) derivation D of length n, 
n > 0 from E to E' is a sequence of steps of the form E — >l 1 E,t\ ~^l 2 
■ ■ ■ — E,ti, . . . ,t n with messages t\,...,t n , E' = E U {H, . . . , t n }, and L t £ 

Cdyo such that fj_ i -t Li E, H, . . . , t t and t t E U 

for every i £ {1, . . . ,n}. The rule L,; is called the ith rule in D and the step 
E,ti,... , ij_i — ^ L t E,ti, . . . ,ti is called the ith step in D. We write L £ D to 
say that L £ {Li, . . . , L n }. If £ is a set of rewrite rules, then we write C £ D 
to say £ n {Li, . . . , L n } = 0. The message t n is called the goal of D. 

We also need well formed derivations which are derivations where every mes- 
sage generated by an oracle intruder rule is a subterm of the goal or a subterm 
of a term in the initial set of messages. 
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Definition 3. Let D = E —>Li ■ ■ ■ ~^L n E' be a derivation with goal t. Then, D 
is well formed if for every L € D and every t' : L £ C c (t') implies t' £ Sub(E,t), 
and L £ Cd(t') implies t! £ Sub(E). 

We can now define oracle rules. Condition 1. in the following definition requires 
the existence of well formed derivations. This will allow us to bound the length 
of derivations and the size of messages needed in derivations. The remaining 
conditions are later used to bound the size of the substitution a of an attack. 

Definition 4. Let L 0 be a (finite or infinite) set of rules and P be a protocol. 
Then, L a is a set of oracle rules (w.r.t. L C {J Ld as defined above) iff there exists 
a polynomial p(-) such that: 

1. For every message t, ift £ doYo(F), then there exists a well formed deriva- 
tion from E with goal t. 

2. If F —>L 0 (t) an d F,t —>L d (t) Fit, a, then there exists a derivation D from 
F with goal a such that Ld(t) D. 

3. For every ride F — »• t £ L 0 (t) we have |t| < p(|P|) and for all tf £ F, 

\t'\<p(\P\)- 

In what follows, we always assume that L 0 is a set of oracle rules. We call a pro- 
tocol P of the form (T u , 0, Ei, 0) restricted. We want to decide the insecurity of 
a restricted protocol w.r.t. an intruder using CdyOi he., the Dolev-Yao intruder 
rules plus the oracle rules. Formally, the decision problem we are interested in 
is the following set of restricted protocols P: 

Insecure© := {P | there exists an Cdyo~ attack on the restricted protocol P} 

4.2 An NP Decision Algorithm 

The following theorem is used to prove Theorem 1. 

Theorem 2. Let L 0 be a set of oracle rules. Given a procedure (an oracle) for 
deciding E — >l o t for every finite set E of messages and message t in con- 
stant time, Insecure© can be decided by a nondeterministic polynomial time 
algorithm. 

The NP decision procedure is given in Figure 1. In (1) and (2) of the procedure, 
an attack (n, a) is guessed of size polynomially bounded in n. Then, it is checked 
whether this is in fact an attack. 

Obviously, the procedure is sound. As for completeness, one needs to show 
that it suffices to only consider substitutions bounded as done in the procedure. 
This is proved in Section 4.3, Theorem 3. 

To show that the procedure is in fact an NP procedure given a procedure 
for deciding E — »• t £ L a , we prove that (3) and (4) can be decided by an NP 
algorithm. Given that \Rta, Sqcf, . . . , 5j_icr| is polynomially bounded in |P| for 
every i < k (see Corollary 1), it suffices to show that the following problem 
belongs to NP (given the decision procedure for E — > t € ? L 0 ): 

Derive := {(E,t) \ there exists an Tuvo-derivation from E with goal t }. 
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Input: restricted protocol P = (P^, 0 , So, 0 ) with n = p(\P\), where p(-) is the 
polynomial associated to the oracle rules, and V = Var(P). 

1. Guess an execution ordering n for P. Let k be the size of n. Let Ri — > Si = 
7r _1 (i) for i € { 1, . . . , k}. 

2. Guess a normalized ground substitution a such that |<t(*)| < 3n 2 for all x £ V. 

3. Test that Rn i £ dDYo({Socr , . . . , Si- icr}) for every i < k. 

4. Test that secret £ dDYo({Socr, • • • , Sa,ct}). 

5. If each test is successful, then answer “yes”, and otherwise, “no”. 



Fig. 1. NP Decision Procedure for Insecurity 



In this problem, E and t, are assumed to be represented as dags. The following 
lemma follows quite easily from the existence of well formed derivations (see [4] 
for the proof). 

Lemma 1. Given a procedure for deciding E — t £ L a , Derive can be decided 
in nondeterministic polynomial time. 

From Theorem 3 proved in the following section, completeness of the procedure 
depicted in Figure 1 follows. 



4.3 Polynomial Bounds on Attacks 

To show completeness of the NP decision algorithm depicted in Figure 1, we 
need to prove that it suffices to consider substitutions bounded as in the second 
step of this algorithm. To this end, we consider an attack of minimal size, a 
so-called normal attack, and show that the size of this attack can be bounded 
as stated in the algorithm. 

Given an attack (7 r, a) on a protocol P define \a\ := E ' xe y ar(P)|( J (x)|. We say 
that the attack ( 7 r,er) is normal if |cr| is minimal, i.e., for every attack (7r , ,er / ), 

| o | < \a'\. Clearly, if there is an attack, there is a normal attack. Note also that 
a normal attack is not necessarily uniquely determined. 

The next lemma says that normal attacks can always be constructed by 
linking subterms that are initially occurring in the problem specification or by 
terms bounded by p(\P\). This will allow us to bound the size of attacks as desired 
(Theorem 3 and Corollary 1). To state the lemma, we need some notation. 

Let P, Ri, Si, (7T, a), V, p(-), and k be defined as in Figure 1. Let SP = 
Sub{{Rj\j £ {1, . . . , k}} U {Sj\j £ {0, . . . , k}}). We recall that A C SP. 

Definition 5. Let t and t' be two terms and 9 a ground substitution. Then, t is 
a 0-matclr oft' , denoted t Qg t' , if t is not a variable, and tO = t’ . 

In [4], we prove: 

Lemma 2. Given a normal attack (n,<j), for all variables x: |<r(a:)| < p(|P|) or 
there exists t £ SP such that t a(x). 
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Using this lemma, it is now easy to bound the size of every cr(x) (see [4] for the 
proof): 

Theorem 3. For every protocol P, if ( n , a) is a normal attack on P, then 
\{a{x) \ x € Uar}| < 3 • p(|P|) 2 , where |P| is the size of P as defined in Sec- 
tion 2.2 and p(-) is the polynomial associated to the set of oracle rules. 

From this, we easily obtain: 

Corollary 1. For every protocol P and normal attack ( 7 r,cr) on P: |Pj<r, S'o cr > 
. . . , 5i_i<r| and \ Secret, Sq(j, . . . , Sk&\ can be bounded by a polynomial in |P| for 
every i € {1, . . . , k}. 

5 Proof of the Complexity Upper Bound 

We now show the complexity upper bound claimed in Theorem 1. In what fol- 
lows, let P = (P u , P&, Ej, V) be a protocol. 

The idea of the proof is to turn the partially ordered set P® of instantiated 
bounded principals into oracle rules and then use Theorem 2. 

The conversion of P)P is carried out in two steps. First, this set is turned into 
a set of so-called aggregated rules. Then, the rules are turned into oracle rules. 



5.1 Aggregated Rules 

The set PjP consists of a finite set of (instantiated) principals 77. Assume that 
the linear ordering associated to II is <, II = {R 0 — > So, . . . ,R n - 1 —> SVi-i}, 
and Ri —> Si < Rj — > Sj for every i < j. 

Now, replace every P,; Si in Ft by a rewrite rule {Rq, . . . , Ri} Si. We 
denote the resulting set by Ft agg and call this set the aggregated version of 77. 
Let T a gg denote the set obtained from P® by replacing every principal by its 
aggregated version. We call this set the set of aggregated rules induced by P. 
Define C agg '■= Cdy U Pogg, the set of aggregated intruder rules (induced by P). 
Note that C a gg depends on P. However, for simplicity, we omit P in the notation 
of this set. 

The set of terms the intruder can derive from E using C agg is defined as: 

d agg (E) :=U {E'\E^* Cagt E'}. 

An Cagg-attack on P is defined analogously to Cdy- attacks. 

The following lemma states that there is an Cdy- attack on P iff there exists 
an T asff -attack on P when the bounded principals of P are removed. In other 
words, the bounded principals are moved to the intruder. The proof of this lemma 
is straightforward. 

Lemma 3. There exists an CoY-attack on P = (P u , p,, F/, D) iff there exists 
an Cagg-attack on (P u ,0,P/,0). 
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From this and if T agg were oracle rules (in the sense of Definition 4) , Insecure £ 
DEXPTIME would immediately follow from Theorem 2. In general the set T agg 
does not meet the restrictions on oracle rules. Therefore, we define principal 
oracle rules meeting the restrictions on oracle rules. In what follows, they are 
formally defined and it is shown that whether E — > t is such a rule can be decided 
in exponential time. Then, we show that these rules can replace aggregated 
rules and that they are oracle rules. Together with Theorem 2, this will yield 
Theorem 1. 

5.2 Principal Oracle Rules 

Let Sub r (iF a gg) denote the set of subterms occurring on the right hand-side of 
rewrite rules in T agg - 

Definition 6. A principal oracle rule induced by a protocol P is a rewrite rule 
of the form E — » t where E is some finite set of ground terms with |it| < \P\ 2 
for every u € E and t £ Sub r (iF agg ) such that t £ d agg (E). Let T v denote the 
set of principal oracle rules induced by P. 

Note that in the above definition |i| < \P\ 2 and T agg Q E P - 

We now show that principal oracle rules can be decided in exponential time. 



Proposition 1. For every E and t, it can be decided in exponential time in the 
dag size of E and P whether E — »• t £ T v . 

The key to the proof of this proposition is the following lemma, which is proved 
in [4]. Intuitively, it states that £ affff -derivations are well- formed in the sense 
that the messages produced in each step of the derivation are subterms of a 
certain set of messages. Note that £ agg -derivations are derivations, as defined 
in Section 4.1, which use only intruder rules from C agg ■ In what follows, let LL 
denote the set of subterms of T agg - 

Lemma 4. Assume that E — » t £ T p . Let D denote a derivation from E with 
goal t over C agg of minimal length. Then, u £ Sub(E, t, TL) for every message u 
such that there exists a u-rule in D. 

Now to test whether E — ► t £ T p one can iteratively apply rules in C agg to 
E that create subterms of E,t,TL. Let E' be the resulting set of terms. Then, 
Lemma 4 ensures that t £ E' iff E — > t £ T p . It is easy to see that E' can 
be computed in time exponential in the size of P. This completes the proof of 
Proposition 1. 

5.3 Principal Oracle Rules can Replace Aggregated Rules 

Let C p := Cdy U T p be the set of principal intruder rules. The set of terms the 
intruder can derive from E using C p is defined as d p (E) := (J {E' \ E ~^*c p E'}. 
An Cp-attack on P is defined analogously to Cdy~& ttacks. 

Obviously, d agg (E) = d p (E) for every finite set E of messages. As an imme- 
diate consequence, we obtain: 
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Lemma 5. Let P = {T u ,Ti ,,Ei,V) be a protocol and let C agg and C p be the 
aggregated and principal intruder rules induced by P. Then, there exists an C agg - 
attack on (F u , 0 , Ej, 0 ) iff there exists an C p -attack on this protocol. 

Together with Lemma 3 this yields: 

Proposition 2. Let P = (F u , Eb,Ej, V) be a protocol and let C p be the principal 
intruder rules induced by P. Then, there exists an Cdy - attack on P iff there 
exists an C p -attack on {T u , 0 , Ej, 0 ) . 



5.4 Principal Oracle Rules Are Oracle Rules 

In what follows, we identify L a with T p , and show that L a is a set of oracle rules. 
By definition of T v , the last condition on oracle rules (Definition 4, 3.) is met 
with p[ri) = n 2 . 

The following lemma shows the second condition in the definition of oracle 
rules. 

Lemma 6. If F —>L 0 (t) E, t and F, t —*L d (t) E, t, a, then there exists a derivation 
D from F with goal a such that L^ft) ^ D. 

Proof. The proof is obvious. It suffices to observe that a G d p (F ) D Sub r (J r ass ), 
and thus, F a G F p . □ 

The next lemma, shown in [4], states that if a derivation exists, then also a well 
formed derivation. 

Lemma 7. If t G d p (E), then there exists a well formed derivation with goal t. 
The two lemmas imply: 

Proposition 3. The set L 0 of principal oracle rules is a set of oracle rules. 

Now, together with Theorem 2 and Proposition 1 this shows the complexity 
upper bound claimed in Theorem 1. 

6 Conclusion 

We have proposed a protocol model which integrates what we have called the 
unbounded and the bounded message models, and we have shown that deciding 
secrecy in our model is EXPTIME-complete. For this purpose we have extended 
the Dolev-Yao intruder in a general framework by oracle rules and applied this 
framework to handle an unbounded number of sessions. 

In future work, we will investigate in how far this framework can be applied to 
yield other interesting extensions of the Dolev-Yao intruder. Another question is 
whether the oracle rules introduced here can be combined with those considered 
in [5], with the potential of even more powerful intruders, e.g., those combining 
unbounded number of sessions with the XOR operator. 
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Abstract. We study the proof complexity of Taut, the class of Second- 
Order Existential (SOB) logical sentences which fail in all finite mod- 
els. The Complexity-Gap theorem for Tree-like Resolution says that the 
shortest Tree-like Resolution refutation of any such sentence $ is either 
fully exponential, or polynomial, n °d), where n is the size of the 

finite model. Moreover, there is a very simple model-theoretics criteria 
which separates the two cases: the exponential lower bound holds if and 
only if $ holds in some infinite model. 

In the present paper we prove several generalisations and extensions of 
the Complexity-Gap theorem. 

1. For a natural subclass of Taut, Rel (Taut), there is a gap between 
polynomial Tree-like Resolution proofs and sub-exponential, 2 n( - n \ 
general (DAG-like) Resolution proofs, whilst the separating model- 
theoretic criteria is the same as before. Rel (Taut) is the set of all 
sentences in Taut, relativised with respect to a unary predicate. 

2. The gap for stronger systems, Res* (k), is between polynomial and 

exp (f? f° r every k, 1 < k < n. Res* (k) is an extension 

of Tree-like Resolution, in which literals are replaced by terms (i.e. 
conjunctions of literals) of size at most k. The lower bound is tight. 

3. There is (as expected) no gap for any propositional proof system 
(including Tree-like Resolution) if we enrich the language of SO logic 
by a built-in order. 



1 Introduction 

In [1] a new kind of results for propositional logic was introduced. Expressed 
somewhat informally, it was shown that any sequence i/’n of tautologies which 
expresses the validity of a fixed combinatorial principle either is “easy” i.e. has 
polynomial size tree-resolution proofs or is “difficult” i.e requires full exponential 
size tree-resolution proofs. It was shown that the class of tautologies which are 
hard (for tree-resolution) is identical to the class of tautologies which are based 
on combinatorial principles which are violated for infinite sets. 



M. Baaz and J.A. Makowsky (Eds.): CSL 2003, LNCS 2803, pp. 142-154, 2003. 
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According to this result the proof complexity of a combinatorial principle 
never have intermediate growth rates like for example 2 log ( n \k = 2,3,.... In 
this paper we extend this result to a number of related resolution-based systems. 

A central question in the theory of proof complexity concerns to the amount 
of resources (usually proof length) which is needed to prove a certain sequence 
of tautologies. Usually, the sequence of tautologies consists of Tautologies which 
are similar except for their size. The paper is organised as follows: 

Firstly, we consider the resolution proof system in a setting of DAG-like 
proofs rather than tree-like structure. In a DAG-like proof a once derived dis- 
junction can be used any number of times later in the proof. This cannot happen 
in the tree like cases. Thus a given tautology might have a DAG-like proof which 
is substantially shorter than the shortest tree-like proof [2]. 

The class of combinatorial problems which are hard for DAG-like resolution 
differs from the class of combinatorial problems which are hard for tree like 
resolution. ’’Minimal element” is a principle separates the two systems [3]. 

In this paper we show the class of combinatorial problems which are hard for 
DAG resolution is identical to the class which is hard for tree resolution provided 
the combinatorial principles are being relativised. This answers an open question 
by Krajicek [4]. 

Secondly, we consider Res(k) which is similar but stronger than resolution. 
In Res(k) clauses i.e. disjunctions, are replaced by disjunctions of conjunctions 
of < k literals. The rules are strengthened so one can resolve not just a single 
variable (like in resolution), but also conjunctions of up to k variables. An easy 
extension of [1] gives a complexity jump from polynomial to exp(l7(^)) for these 
problems (when proofs are represented as trees) . This lower bound is also implicit 
in [4] by Krajicek. We improve this, and show that the jump is from polynomial 
to exp(l ?( n l ° k ek )). Moreover, we show that the lower bound is tight. 

Finally, we show that there is no complexity gap if we enrich the language 
of SO logic by a built-in order. Even though this result is expected it has a 
less obvious consequence. It allows us to answer an open question from [5] by 
showing that there is no complexity gap for tree resolution above 2 nlog ( n \ We 
expect that there is a complexity gap above 2™, but are not sure if the gap jumps 
the whole way up to 2 nlog ( n \ 

2 Preliminaries 

2.1 Resolution with Bounded Conjuction, Res(fc) 

In this section we recall some of the basic concepts related to resolution proofs. 

A literal is a propositional variable or the negation of a propositional vari- 
able. A fc-conjunction A jlj is a conjunction of at most k literals. A fc-DNF is a 
disjunction of /^-conjunctions. 

The Res(fc) proof system is a refutation system designed to provide certifi- 
cates (i.e. proofs) that a system of fc-DNF’s is unsatisfiable. This is done by 
means of the following four derivation rules. The A -introduction rule is 
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Ci V AjgJx h C 2 V A je j 2 h 

Ci V C 2 V /\ jeJlUj2 lj ’ 

provided that | J\ U J 2 | < k. The cut (or resolution) rule is 

C\ v V je J lj ^2 V Aje J ~~A 

CiUC 2 ' 

The two weakening rules are 

C 

C V Aje J lj ’ 

provided that |Jj < fc, and 

^ v Ajgj.uj, lj 
C V AjGJi lj 

Here C’s are /c-DNFs, and Z’s are literals. 

The given DNF’s are often referred to as axioms , and the task is to derive the 
empty clause (the contradiction) from the axioms. In Tree-like Res(fc), denoted 
Res*(fc), the proof is organised as a binary tree with the axioms in the leaves 
and the empty clause in the root. In D AG-like Res (k) denoted just Res(fc), the 
proof is given as a linear sequence Ci, C 2 , . . . , C u of clauses, where each clause 
either is an axiom or can be obtained by means of the resolution rule (applied to 
two already derived clauses). In a Resolution proof, clauses can be reused more 
the once. A tree-like proof do not allow this. 



2.2 Proving Lower Bounds for Resolution and Tree-Like Res(fc) 

We will first describe the search problem, associated to an inconsistent set of 
clauses as defined in [6]: Given a truth assignment, find a clause, falsified under 
the assignment. 

We can use a refutation of the set of clauses to solve the search problem 
as follows. We first turn around all the edges of the graph of the proof. The 
contradiction now becomes the only root (source) of the new graph, and the 
axioms and the initial formulae become the leaves (sinks). We perform a search 
in the new graph, starting from the root, which is falsified by any assignment, 
and always going to a vertex which is falsified under the given assignment. Such 
a vertex always exists as the inference rules are sound. We end up at a leaf, 
which is one of the initial clauses. 

Thus, if we want to prove the existence of a particular kind of clauses in any 
proof we can use an adversary argument against the refutation, solving the search 
problem as described above. The argument is particularly nice for Resolution 
(Res(l)) as developed by Pudlak in [7]. There are two players, named Prover 
and Adversary. An unsatisfiable set of clauses is given. Adversary claims wrongly 
that there is a satisfying assignment. Prover holds a Resolution refutation, and 
uses it to solve the search problem. A position in the game is a partial assignment 
of the propositional variables. The positions can be viewed as conjunctions of 
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literals. All the possible positions in the game are exactly negations of all the 
clauses in the Prover’s refutation. The game start from the empty position (which 
corresponds to T, the negation of the empty clause). Prover has two kind of 
moves: 

1. She queries a variable, whose value is unknown in the current position. Ad- 
versary answers, and the position then is extended with the answer. 

2. She forgets a value of a variable, which is known. The current position is 
then reduced, i.e., the variable value becomes unknown. 

The game is over, when the current partial assignment falsifies one of the clauses. 
Prover then wins, having shown a contradiction. 

We will be interested in deterministic Adversary’s strategies which allows to 
prove the existence of certain kind of clauses in a Resolution refutation. 

In order to prove lower bounds on the size of a Resolution proof we will 
use the known technique, “bottleneck counting”. It was introduced by Haken 
in his seminal paper [8] (for the modern treatment see [9]). We first define the 
concept of big clause. We then design random restrictions, so that they “kill” (i.e. 
evaluate to T) any big clause with high probability (wlrp). By the union bound 
principle, if there are few big clauses, there is a restriction which kills them all. 
We now consider the restricted set of clauses , and using Prover- Adversary game, 
show that there has to be at least one big clause in the restricted proof, which is 
a contradiction and completes the argument. 

The case of Tree-like proofs, either Resolution or Res(d), is much simpler as 
a tree-like proof of a given set of clause is equivalent to a decision tree, solving 
the search problem [6]. We can use pretty straightforward adversary argument 
against a decision tree, in order to show that it has to have many nodes. 

2.3 Relativising Combinatorial Principles 

Let S' be a S03 logical sentence. Informally, the statement d' states that some 
property holds for the whole universe. Informally, the relativised sentence Rel(d r ) 
say that the principle d' holds for any non-empty subset if the universe. The 
relativised principle not only state the validity of the principle for models of size 
n, but also implies that the principles holds for all models of size < n. Thus the 
relativised principle is in general harder to prove than its non-relativised counter 
part. 

We will briefly describe the translation of a S03 sentence into a set of clauses. 
Assume first that there is a single relation symbol F which is quantified existen- 
tially, and the FO part of the sentence is in a prenex normal form, i.e. 

Vaqdi/i . . . \/x m 3y m F (aq, y 1} . . . x m , y m ) ■ 

We first introduce Skolem relations s, 

n 

V s )i f° r all 1 < i < m and all ji, . . . ji G [n] , 

k = 1 
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and then the sentence translates into 

m 

A —• ^ f°r all ji, k\, . . . j m , k m £ [?i] . 

i= 1 

The case when the quantiher-free part of the F , F is not an atomic formula is 
as easy as this one. We just rewrite F in CNF, and then the clause above becomes 
a set of clauses. The number of these clauses is a constant, i.e. independent from 
the size of the universe, n. 

Let us now consider the relativisation, Rel(F). It is 



Vaq £ R3yi £ -R . . . V x m £ R3y m £ R F (xi , y\ , . . . , Urn) ? 



and can be rewritten as 

Vxi i^R (3^1) y 3 y\ (R (2/1) A . . . ( R (#m) y ( R (2/m) A F (xi, . . . 2/m))))) • 

It is not hard to see that the latter formula translates into the following sets of 
clauses: 

1 

A r n A s ji,h,-.ji,k r k for all 1 < l < TO and all ji,...ji,k£ [n] 

i= 1 

and 

m m 

A r n A A for all ji,h, . ..jm, km £ [n] . 

i = 1 i=l 

Finally we add the clause saying that the unary predicate, we relativise with 
respect to, should not define the empty set, i.e. 

n 

V n . 

i = 1 

3 Complexity Gap for Rel (Taut) 

Let us first introduce some conventions. Recall that <p n is built upon two kinds of 
variables, r’s and s’ s. r-variables correspond to the relation symbols in the origi- 
nal sentence <P. Suppose there are to such variables, r , r 2 , . . . r m , having arities 
Pi,P 2 , ■ ■ ■ Pm , and let us denote p = max, p, : . Given the r - variable J2 j , we 
say it mentions the elements ■ ■ ■ jpi- s-variables correspond to the Skolem 
relations we use to encode as a set of clauses. Suppose there are l such vari- 
ables s 1 , s 2 , . . . s . Given the s - variable s*- • ■ , we say it mentions only its 

arguments ji,j 2 , ■ ■ -j qi , but not the witness, jo- We also define its arity to be qi, 
not q t + 1. Let us denote q = max,; qi as well as t = max { p , q}. 

We will first prove that we need big clauses to refute <t>. 
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Lemma 1 . Any Resolution refutation of Lp n contains a clause which mentions 
at least n l ^ q / (2 1 1 ^) — t elements. 

Proof. We will describe a deterministic Adversary’s strategy which enforces a 
big clause. As usual Adversary holds an infinite model M which satisfies <P. We 
say that an element is busy in the current position (i.e. clause) iff it is mentioned 
by the clause. We say an element is hidden iff it is not busy, but is the witness 
of a Skolem relation, having all its arguments busy. An element, which is neither 
busy nor hidden, is said to be free. At each stage in the Prover-Adversary game 
Adversary maintains two disjoint sets B and H. B is the set of all the busy 
elements, and H is the set of the hidden elements. 

The Adversary’s strategy is now clear. At any stage in the game all the 
elements from the disjoint union B l+l H have interpretations in M. Initially 
B = H = 0. There are two kinds of Prover’s moves: 

1. She queries a new propositional variable. The easier case is when the variable 
can be evaluated under the current interpretation. Adversary replies with the 
value, and does not change B and H. If the variable cannot be evaluated, 
Adversary needs to enlarge B with all the new elements mentioned by the 
variable. Note that there is a constant number of such elements, namely at 
most t. H then has to be enlarged as well with the witnesses of all the new 
tuples in B. 

2. She forgets a propositional variable. Some elements from B may then be- 
come non-busy. Adversary removes these from B. Some of them may become 
hidden, i.e. they are witnesses of a Skolem relation with all its arguments 
from B , and go to H . The rest become free. Some elements from H , namely 
the witnesses of the tuples which contained at least one of the just forgotten 
elements, become free as well. 

In any case no contradiction can be achieved as far as \B\ + \H\ < n. On the 
other hand there are l Skolem relation, each with arity at most q , so at any time 
| if | < l \B\ q . Thus, without loss of generality, we can assume that at any stage 
in the game, before a contradiction is achieved, we have 

\B\ + l\B\ q < n. 

Since \B\ = n 1 ^/ (2Z 1 / 9 ) satisfies the inequality, and \B\ increases by at most t 
after any stage, there should be a point where \B\ > n 1 ^/ (2/ 1 / 9 ) —t as claimed. 

□ 

Let us now consider Rel (<p n )- We will first describe a distribution of random 
restrictions which kills any big clause in any Resolution refutation of Rel (<p n ) 
with high probability (wlrp). The idea is to randomly divide the universe U = [n] 
into two approximately equal parts. One of them, R , will represent the predicate, 
we relativise by, R all the variables within it will remain unset. The rest, C, 
will be the “chaotic” part; all the variables within C and most of the variables 
between C and R will be set entirely at random. 
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More precisely, the random restrictions are as follows. 

1. We first set all the variables to either T or 1 independently at random 
with equal probabilities, 1/2. Let us denote the set of variables with = T 
by R , and the set of variables with = _L by C, C = U \ R. 

2. We now set all the variables r* i J2 ■ , i > 0, which mention at least one 
element of C, i.e. {j \ , j- 2 , • • -j Pi } (~l C ^ 0, to either T or 1 independently at 
random with equal probabilities, 1/2. 

3. We set all the variables s®- .• ,■ • , which mention at least one element of 

C, i.e. {ji, j 2 > • • • J 9i } n C / 0, to either T or 1 independently at random 
with equal probabilities, 1/2. 

4. We finally set to _L all the variables .s) ■ • • which mention only elements 

from R , but the witness is in C, i.e. {ji,j 2 , . . . C i? and jo € C. 

It is very important to note that the variables and clauses, which survive the 
random restriction, define exactly <!> on R, i.e. tp\R\- 

There are few minor problems. The third case of the above description may 
violate an axiom as well as the first case may make R very small. We can however 
see that these bad events happen with exponentially small probability. 

Lemma 2. The probability that the random restrictions are inconsistent with 
the axioms or |i?| < n/4 is at most ln q / 2" + 1/e™/ 16 . 

Proof. Indeed, an axiom is violated iff in the third case there is a g,- tuple 
such that for every j 0 , s *• • ■ • = _L, i.e. there is no witness 

for the tuple. The probability for this is 1/2™ and there are at most ln q such 
tuples, so that the union-bound gives ln q / 2™. By the Chernoff bound the prob- 
ability that \R\ < n / 4 is at most e - ™/ 16 . □ 

The next step is to show that the random restrictions kill any clause with 
exponential probability in the number of the elements mentioned. 

Lemma 3. Given a clause, which mentions at least k elements, the probability 
it does not evaluate to T under the random restrictions is at most (3/4 ) . 

Proof. Let us denote the clause by A, and perform the following experiment. We 
pick up a literal l\ from A. The probability that at least one of the elements, 
mentioned by is in the chaotic set C is at least 1/2. Given such an element, 
the probability that l\ evaluates to T under the random restrictions is 1/2. Thus 
the probability l\ does not evaluate to T is at most 3/4. We now take all the 
elements, mentioned by l\ and mark them. 

We pick another literal 1 2 from A which mentions at least one unmarked 
element, and proceed as we have done with l\. We then pick yet another literal 
1 3 and so on. 

The clause A mentions at least k elements, whilst after having considered a 
literal we mark at most t elements, so that we can repeat the above procedure 
at least k/t times. These trials have been independent by the construction of the 
random restrictions. Therefore the probability that A does not evaluate to T is 
at most (3/4) fc /* as claimed. □ 
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We can now prove the main result of the section. 

Theorem 1. A SOB sentence is given which fails in all finite models, but 
holds in some infinite model. Let us denote Rel (d>) the relativisation of <P with 
respect to a unary predicate. Let Rel (<p„) be the translation of the latter into 
set of clauses, assuming a finite model of size n. Then there is a constant e, 
depending only on <P, such that any Resolution refutation of Rel (</?„) is of size 
exp (17 (n e )). 

1/p 

Proof. Let us denote k = " 1/p —t, and say a clause is big, iff it mentions at least 

k elements. We will prove that any Resolution refutation of Rel (p n ) contains 
exponentially many in k big clauses, which would give the desired lower bound. 

Assume, for the sake of contradiction, there is a refutation r which contains 
at most (4/3) k" 72 big clauses. We hit T by random restrictions. By the lemma 2 
and the lemma 3 + union-bound, the probability that the restrictions are “bad” 
is at most 

In * 1 / 3 y 1/p /( 2 (40 v*)-t 

2 n + e"/ 16 + V 4 / 

As this quantity is smaller than 1 for big enough n (recall that l, p, q and t 
depend on <P, but not on n), there is a set of good restrictions, “good” meaning 
that they kill all the big clauses, and moreover what survives is tp m for some 
to > n/4. But now by the lemma 1 there has to be at least one big clause in the 
restricted refutation which is a contradiction. □ 

Note that we do not claim that the bound proven, exp (i7 (n 1 ^)) is tight. 
As a matter of fact, we believe the right lower bound is exp (17 (n)), but we also 
believe this might be very hard to prove, say as hard as proving the Complexity 
Gap theorem for (DAG-like) Resolution. 

* 

4 Complexity Gap for Res (fc) 

Theorem 2. A SOB sentence <P is given which fails in all finite models, but holds 
in some infinite model. Let us denote by (p n the translation ofd> into propositional 
logic, assuming a finite model of size n. Then for any k, 2 < k < n, any R* (k) 
refutation of ip n is of size exp ^17 • 

Proof. We will describe the modifications of the original proof, Section 4 of 
[1], Recall that the proof goes as follows. Prover holds the Tree-like Resolution 
refutation which is equivalent to a decision tree solving the search problem for ip n . 
Adversary’s task to force a big subtree in the Prover’s tree. In doing so, he uses 
an infinite model M in which T> holds. At any stage in the game some elements 
of the universe are interpreted in M, and it is clear that no contradiction can be 
achieved by Prover, unless she forces Adversary to interpret all the n elements. 
When a variable is queried by Prover, Adversary answer as follows. 
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1. If the truth value can be derived from the current interpretation, i.e. the 
partial assignment, he replies with the value. The current interpretation is 
not extended as this was a forced question. 

2. If the value cannot be derived from the current interpretation, it follows 
that both T and _L answers are consistent with some extension of it. Thus 
Adversary is free to choose an answer, and in both possible cases there is a 
consistent extension of the current interpretation by at most r new elements, 
where r is a constant, the maximal arity of relation symbols in tp n . 

This shows that Prover’s decision tree has to contain a complete binary subtree 
of height n/r which implies a 2 n / r lower bound. 

Let us now consider the case of Res* ( k ) instead of Tree-like Resolution. 
A Prover’s query is a fc-disjunction instead of a single variable. Adversary first 
simplifies the query, using the current interpretation. That is, if a literal evaluates 
to T it vanishes; if all the literals vanish, the query itself is forced, and the answer 
is T. If a literal evaluates to T so does the entire disjunction; the query is forced, 
and the answer is T. 

The non-trivial case is when the query is not forced, i.e. after having been 
simplified, it can still be answered both T and _L. For the positive answer it is 
enough to force a single literal to T,and therefore to interpret at most r new 
elements. For the negative answer Adversary should force all the literals to _L, 
and therefore he has to interpret all the mentioned elements which are at most 
kr. 

We will show that a subtree rooted at a given node can be lower-bounded 
by a function S in the number of free elements at the node. If the number of 
free elements at the current node is u, the T successor has at least u — r such 
elements whilst the _L successor has at most u — kr. Thus we have 

S (u) > S (u — r) + S (u — kr) + 1. 

We will prove that S (u) > x^ T — 1 where Xk is the biggest positive real root of 
the equation 

x k - x k ~ x -1 = 0. 

The induction step is trivial. By the induction hypothesis we get 

s (u) > (4 u/r) ^ - i) + (4“ /r) - fc - 1 ) + 1 

= x u J r - 1. 

Let us now observe that there are positive constants a and b such that for 
every k > 1, Xk is in the interval (l + a^, 1 + 6^). Indeed, let us denote 

/ (x) = x k ~x k ~ 1 - 1. We have / (l + c^) = (l + 44) fc_1 ^ - 1 where c is 
a constant. Since lim^oo (l + 1 = 1 we can conclude that for every 

constant £ > 0 there is k e so that for every k > k s , f (l + (1 — e) -j^) < 0 and 
/(l + (lTE)f)> 0. 
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It is now clear how to get the desired lower bound. At the root of every 
decision tree we have all the n elements free, so that the decision tree has to be of 
size at least (l + ) n ^ r — 1 which is ~ e an 'k k and therefore exp ^1? ^ . 

What remains to be checked is the basis case, n < kr. In this case the size of 
the tree is at least n/r (as this is the minimal number of queries required to 
force interpretation of all the elements), whilst the lower bound expression is 
< e olnfc = k a . Clearly n/r > k a for big enough n as k < n and r, a, a < 1 are 
constants independent from n. This completes the proof. □ 

It is important to note that the lower bound we have proven is tight. The S03 
sentence which shows this is Minimal Element Principle ( MEP n ), saying that 
a finite (partially) ordered n-element set has a minimal element. Its negation is 

3P ((Vx -<P (x,x)) 

A (Vx, y, z ( P (x, y) A P (y, z)) -1 P (x, z)) 

A (Vx3y P(y,x))) . 

It is not hard to see that there is a Res* ( k ) refutation of MEP n of size 
exp ^1? j j f or an y k, 2 < k < n — 1. Note also that the Res* ( n — 1) 

proof of MEP n is essentially the same as the (DAG-like) Resolution proof of 
the principle, so that our result is consistent with the known fact that MEP n is 
hard for Tree-like Resolution, but easy for Resolution. 

5 Built-in Order “Kills” the Gap 

We will first show that there is no Complexity gap for Tree-like Resolution if we 
enrich the S03-language with a built-in order predicate. 

Theorem 3. There is no tree-resolution complexity gap for the logical sentences 
in the language S03 + built-in order. 

Proof. Let us first describe the argument very informally. Assume a finite model 
of size n. There are know tautologies which requires size to refute in Tree- 
like Resolution. The most natural of them is Minimal Element Principle (MEP) 
which has already been mentioned (note that the partial order, defined by MEP, 
is entirely independent from the built-in total order predicate). 

As we have built-in order, we can interpret the elements of the universe as 
the first n natural numbers. We can define in the S03 language a broad class 
of functions, such as log x, x p ^ q (p and q integers) and so on. We will show that 
it is easy, i.e. polynomially size doable, to verify that a given element k of the 
universe is / (n), where / is a function from the class. Then we will restrict 
Minimal Element Principle to the first k elements (in the built-in order) to get a 
sentence in the S03 language + built-in order predicate whose optimal refutation 
is of size 2 fi d’(«)), provided / (n) = fi (logn). 

What remains is to show how to define and verify / (.) in polynomial in n 
size. As an example, we will give the definitions of and log (•). 
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In what follows, all the relation symbols are quantified existentially and the 
free variables are quantified universally. Moreover, the definitions are nested in 
the order they appear, starting with the above definition of a total order, being 
outermost one. We denote by L the built-in order predicate, i.e. L (x,y) stands 
for x < y. 

We first define the successor function as the relation S (x, y) standing for y 
is the successor of x. 

S (x, y) = (L (x, y) A (Vz (L (x, z) A L (z, y)))) 

We can define any constants, by the relations C a (x ) , meaning x = a. 

C 0 (x) = (Vy -iS (y,x)) 

C a (x) = (3 y (C a - 1 (: y ) A S (y, x))) 

We are now ready to define addition and multiplication recursively by the fol- 
lowing relations, A (x, y, z) and M (x, y, z) standing for x + y = z and x x y = z, 
respectively. 



A (x, y, z) = ((C 0 Or) A C 0 (y) A C 0 (z)) 
V 3m, v (S (v, z)) 

A ((S (u,x) A A (it, y, v)) 

V ( S ( u, y ) A A(x,u,v)))) 



M (x, y, z) = (((Co (*) V Co (y)) A C 0 (z)) 

V 3w, v ((S (u, x) A A (y, v, z) A M (u, y, v)) 

V (S ( u , y) A A (x, v, z) A M (x, u, v)))) 

We can now define y = [\/x\ by y = |_\/xj if and only if either y 2 < x < (y + l) 2 
or y 2 < x, but (y + 1) > n. 



R 2 (x, y) = (M (y, y, x) 

V 3 u (M (y, y, u) A L (it, a;) 

A (3z, w ( S (y, z) A M (z, z, w ) A L (x, w)) 
W z, w ( S (y, z) -)> -iM (z, z, «;))))) 

We also define y = [|J as 

D 2 (x, y) = 3it, m, m; (. M (u, x, v) A A (v, w, u ) 

A C 2 (it) A (Co (u) V Cr (v))) , 



and finally y = [log :rj , using the recursion 
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L 2 {x, y ) = (Ci (x) A C 0 (y) 

V (3 u, v ( S (■ v , y) A D 2 (x, u) A L 2 ( u , i>)))) . 

We shall not formally prove that it is possible (in a straightforward way) 
to verify all the functions defined above within the decision tree computational 
model. The sketch of the proof is, however, pretty clear: as all the definitions are 
inductive and there are no mutual recursive relations, we check the functions in 
the order they are defined, starting from the basis cases. Thus all the queries are 
forced in the sense that if the assignment does not satisfy the definition of the 
given relation then the “wrong” answer leads to an immediate contradiction. 
Thus the size of the initial part of the tree, verifying the definitions of these 
functions, is polynomial in n as claimed. □ 

Of course, the result holds for many other propositional proof systems as 
Tree-like Resolution is a very weak system, and can be polynomially-simulated 
by them. As an important consequence we get the following 

Theorem 4. There is no Tree-like Resolution Complexity gap above 2 0 (" log ”). 

Proof. Let us first observe that there are S03 statements with optimal proofs of 
size for every p > 1. It is enough to take MEP nP , i.e. defined on p-tuples 

instead of single elements of the universe. To get the intermediate complexities, 
we could restrict the last element of any such p-tuple to be less than or equal 
to / (n) where / is some function and n is the size of the universe (model). 
The optimal tree resolution proof of the obtained in this way statement would 
be 2 ( K nP ” 1/(n) ). However we have not any predefined functions in our language. 
The definition of / therefore should be a part of the sentence and the proof 
should “verify” the definition of the function /. We shall use the same argument 
as we have done in the previous proof. However we have not total order either, 
so we have to define it within the S03 language, and to verify it by a decision 
tree. In the rest of the section we will show how to do this, which would complete 
the proof. □ 

The total order can be defined as 

3 L (Va :->L(x,x) 

A Vx, y {{x = y)V L (x, y) V L (y, x)) 

A Vx, y, z ((L (x, y) A L (y, z)) -4 L (x, z))) , 

and we complete the argument by proving the following lemma. 

Lemma 4. The relation L can be optimally verified by a decision tree of size 

2^0(n log n) 



Proof. The sentence translates into the following set of clauses: 

-1 hi i 
l%j V l ji i,j 

->lij V ->ljkV lik i,j,k. 
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It is clear that every permutation 7r of {1, 2, . . . n} defines a satisfying assignment 
by setting to T if and only if n (i) < tt (j) and vice versa. This observation 
immediately implies a lower bound of n! = 2 n ( nl ° sn \ 

A decision tree which verifies L can be constructed by incrementally ordering 
the elements of the universe. Suppose we already have a decision tree which 
orders the first j elements, i.e. each leaf corresponds either to a contradiction 
or to a permutation of {1, 2, . . . j} as explained above. We can now expand the 
latter leaves by finding the place of the j + 1-th element. In doing so, we use 
binary search which uses O (log (j + 1)) free-choice queries. Once the place of 
the j + 1-th element has been found, all the queries involving it and some of 
the previous j elements are forced , i.e. one of the answers leads to an immediate 
contradiction. Thus the forced queries contribute a polynomial factor to the size 
of the subtree consisting of the free-choice queries only. The depth of this subtree 
is YjjZi O (log (j + 1)) = O (nlogn), and therefore its size and the size of the 
entire decision tree is 2°( nloen \ □ 
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Abstract. The A ros -calculus is a A-calculus with explicit substitutions 
introduced in [4]. It satisfies the desired properties of such a calculus: 
step by step simulation of /?, confluence on terms with meta-variables and 
preservation of the strong normalization. It was conjectured in [4] that 
simply typed terms of X ws are strongly normalizable. This was proved 
in [7] by Di Cosmo & al. by using a translation of X ws into the proof nets 
of linear logic. We give here a direct and elementary proof of this result. 

The strong normalization is also proved for terms typable with second 
order types (the extension of Girard’s system F). This is a new result. 

1 Introduction 

Explicit substitutions provide an intermediate formalism which, by decomposing 
the (3 rule of the A-calculus into more atomic steps, gives a better understand- 
ing of the execution models. The pioneer calculus with explicit substitutions, 
Act, was introduced by Curien & al. in [1] as a bridge between the classical 
A-calculus and concrete implementations of functional programming languages. 
Since Mellies [6] has shown that this calculus does not preserve strong normal- 
ization, even for typed terms, finding a system satisfying the following properties 
became a challenge: 

— step by step simulation of (3, 

— confluence on terms with meta-variables, 

— strong normalization of the calculus of substitutions, 

— preservation of strong normalization of the /3-reduction. 

During the last decade, various systems were presented in the literature but 
none of them satisfied simultaneously the previous properties. X ws , the calculus 
we introduced in [4], has been the first satisfying all of them. In addition to 
explicit substitutions, the terms of X ws are decorated with “labels”. The typed 
version of the calculus (also introduced in [4]) shows that there is a strong 
link between the computational and the logical points of view: substitutions 
correspond to cuts and labels to weakenings. The proof that any pure A-term 
which is /3-strongly normalizable is still strongly normalizable in the Au, s -calculus 
was highly technical and uses ad-hoc methods. We conjectured that the typed 
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terms are strongly normalizable (SN). Di Cosmo, Kesner and Polonovsky [7] 
understood the relation between X ws and linear logic and, by using a translation 
of X ws into proof nets, they proved this conjecture. We give here a direct and 
arithmetical proof of SN for simply typed terms. This proof is based on the one 
for the (usual) A-calculus due to the first author [2,3]. We also prove, by using 
the standard notion of reducibility candidates, that terms typable with second 
order types (the extension of Girard’s system F) are strongly normalizable. This 
result is new. 

The general idea of the proofs is the following. We first give a simple charac- 
terization of strongly normalizing terms (theorem 3). This result, which is only 
concerned with the untyped calculus, is interesting by itself and may be used to 
prove other results on X ws . It can be seen as a kind of standardization result. The- 
orem 3 mainly consists of commutation results. Note that permutation of rules 
is also the main ingredient in the proof of [7]. Then, for <S, we use this char- 
acterization to prove, by a tricky induction, a substitution lemma (theorem 6) 
from which the result follows immediately. For T, we use this characterization 
to prove that if a term is typed then it belongs to the interpretation of its type. 

The paper is organized as follows. Section 2 gives the main notations. In 
section 3 we introduce some useful notions and we prove the key technical result . 
It is used in section 4 to prove SN for simply typed terms and in section 5 for 
second order types. 

2 The A^ s -Calculus 

2.1 The Untyped Calculus 

We define here a variant of X ws which is equivalent to the one in [4]: (k) is no more 
primitive but becomes the abbreviation of ()...(), k many times and n is coded 
by (n)0. Since the strong normalization of both formulations are equivalent (see 
proposition 1 below) and the proof is a bit simpler for the new one, we introduce 
here this calculus. 

Definition 1. The set of terms of X ws is defined by the following grammar: 

T = 0\ XT \(TT)\()T\ \i/T,j]T where i,j e N. 
and the reduction rules of the X ws -calculus are given in fig.l. 

Remark 1. — The “logical” meaning of () and [i/u,j]t is given by the typing 
rules. The “algorithmic” meaning is, intuitively, the following: (k)t means 
that each de Bruijn index in t is increased by k (as a consequence, there is 
no variable with de Brujin indices less than k in t) and [i/u,j)t represents 
the term t in which the variable indexed by i is substituted by u with a 
re-indexing commanded by j. 

— It is clear that the version of X ws presented here is a restriction of the one in 
[4] . For self completeness the terms and the rules of this calculus are given in 
the appendix. The translation </> from the latter to the present one is given 
by: (j){t) is obtained from t by replacing n by (n)0 and then ( k ) by () . . . (), 
k many times. In particular, (0) is empty. 




Strong Normalization of the Typed Au, s -Calculus 157 



b 

l 

a 

ei 

e2 
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n 2 
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C2 



(( k)\t u) 
[i/u,j]\t 
[ i/u,j](tv ) 
[0/w,j]()t 

[i/u,j] 0 

[0/u,j]0 

[*/ w >/P/'M* 



[0/m, k]t 
A[i + 1/m, j]t 
{([i/u,j]t) ([ i/u,j]v )) 

OP 

01* “ 

0 

u 

[k/[i-k/u,j]v,j + l-l]t 
[k/[i - k/u,j]v,l][i - l + l/u,j]t 



i > 0 
i > 0 

k < i < k + l 
k + l < i 



Fig. 1. Reduction rules of A yj$ 

— Note that, in this variant, the reduction rules become a bit simpler and some 
of them (m and n 3 in the original calculus) even disappear. Also note that 
rules b\ and 62 give a unique rule b which is in fact a family of rules since 
(k) represents a family of symbols. 

Proposition 1. If t — »• t' then <j)(t) — ( p(t '). In particular, the strong normal- 
ization of both versions of X ws are equivalent. 

Proof. Straightforward. □ 



2.2 The Typed Calculus 

Definition 2. Let V be a set of type variables. 

— The set S of simple types is defined by: S V \ S — ► S 

— The set T of second-order types is defined by: T ::= V | T T \ W.tF 

Definition 3. — A basis T is an (ordered) list of types. The length of T is 

denoted by ||-T||. 

— The typing rules for T are the given in fig. 2. Note that the first element (on 
the left) of T corresponds to the variable with de Bruijn index 0. For S. just 
forget Vj andV e . 

Proposition 2. Both systems have subject reduction: if T b t : A and t u, 
then T h u : A. 

Proof. We have to check that, for each rule, the typing is preserved after reduc- 
tion. We give below the example of rule b. The proof is detailed in [ 5 ] for the 
original version of the calculus. 

The typing of the 6-redex ((h) At u) is given on the left and the typing of 
its reduct [0 /u,k\t is given on the right. We assume that ||P|| = k and the last 
element of r is C. 
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, , , r h t : A , 

A,r^0:A {Ax) B,rh()c.A {Weak) 

A, r \~ t : B , . .T b £ : A — >-5 i -1 b t/, : A , , 

rh \t : A— >■ B rh (tu) : B ^ e ’ 



B, A,<P \~ t : B A,$hu:A 
B,A,<Ph [i/u,j]t : B 



(Cut) 



where i = ||-T|| and j = ||zi|| 



rbt:A 
TTT : : Va.T 



(Vi) if a 0 r 



r h t : Va.T 
r h f : T{a — 5} 



(Ve) 



Fig. 2. Typing rules of the Au, 3 -calculus 



A, A b t : B 
A b Af : A -> B 



( ti) 



C,zA h ()At :A^B 



(Weak) 

(Weak) 



A, A \~ t : B r,A\-u: A 
r, Ah [0 /u,k]t : B 



(Weak) 

r,A\- (k)Xt: A-> B B, A \~ u : A 

r, A \~ (( k)\tu ) : B 



(~te) 



(Cut) 



□ 



3 Characterization of Strongly Normalizable Terms 

This section gives a characterization (Theorem 3) of strongly normalizable terms. 
This is the key of the proof of the strong normalization for both systems. We 
first need some definitions. 

3.1 Some Definitions 

Definition 4. The set S of substitutions and the set E are defined by the fol- 
lowing grammars: 

S::=Q\[i/T,j]S E ::= 0 | ()S \ [i/T, j]E 

Definition 5. Some particular contexts are defined by the following grammars 
where * denotes a hole and, if H is a context, H[t\ denotes the term obtained by 
replacing * by t in H. 

Ci ::= * \ SCi \ XCi C e ::= * | EC e \ (C e T) C ::= Ci[C e ] 

Note that these contexts have a unique hole at the leftmost position. The el- 
ements of C (resp. C.j, C e ) are called head contexts (resp. i-contexts, e-contexts). 
Elements of T (resp. S, E, C) will be denoted by t,u,v,w (resp. by s, by a, by 
H,K). 
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Notation 1 1. We denote by — > the least congruence onTUC containing the 

rules of fig. 1. As usual, t — >* t' (resp. t — > + t' ) means that t reduces to t' by 
some steps (resp. at least one step) of reduction. 

2. The set of strongly normalizable terms (i.e. such that every sequence of —> 
reductions is finite) is denoted by SN. 

Lemma 1 (and notation). Every term in T can uniquely be written as H[ 0] 
or H[(a Xu v)] where H is an head context. The head oft (denoted by hd(f)/ is: 

hd(fd[0]) = H hd(H[(aXu v)}) = H[(a * u)] 

Proof. Straightforward. □ 

Notation 2 Say t — > r if if t t' with the following restrictions: use only 
the rules a, e, c and only in hd(f) either at the top level or, recursively, for 
[i/u,j] in hd(f), only in hd(u). The rule l is also permitted but only in Hi 
where hd(f) = Hi[H e ] with Hi G O and H e G C e . 

Example 1. 

[0/6, 0](A[0/c, 0]1 [0/d, 1]0) ->* ([0/6, 0]A[0/c, 0]1 [0/[0/6, 0]d, 1]0) 

[0/a, 0]A(6c) — >■* A([l/a,0]6 [l/a,0]c) 

[0/[0/a, 0]Ac, 0] 6 [0/A[l/a, 0]c, 0]6 

(A[0/a, 0]()6 c) -f>* (A6 c) 

Lemma 2 (and notation). The reduction — >- r is locally confluent and thus 
is confluent for terms such that hd(t) G SN. The v-normal form of t will be 
denoted by r (i). 

Proof. Straightforward. □ 

Remark 2. The r-reduction is actually strongly normalizing for every term and 
thus confluent. This follows immediately from the strong normalization of the 
calculus of substitution (i.e. all the rules except 6) which is proved in [4]. We 
have stated the previous lemma in this way to keep this paper self contained, 
i.e. our proof does not need this result. Thus, in the rest of the paper, when we 
use r (t) or the confluence of r we have to check that hd(f) G SN. We will not 
mention this since this is always straightforward. 

Definition 6. 1 . Let H be an head context. Let R(H) C T , L(H) G C) and, if 

H G Ci, 1(H) £ T be defined by the following rules: 

- R(*) = 0, R(XH) = X R(H), R(aH) = crR(H) and R((H t)) = R(H) U 
{*}• 

- L(*) = *, L(XH) = X L(H), L(crH) = aL(H) and L((H t)) = L(H). 

- !(*) = 0, I(H[ A*]) = I(H[{)*}) = 1(H) and I(H[[i/u,j ]*]) = H[{i)u]. 

2. An head context is pure if L(H) has no substitutions. 
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3. Let t be a term in T. The set arg(t) C T is defined by: 

- arg(if [0]) = R(H) U {I(L(H))} 

— arg(H[(aXu i>)]) = R(H[(* u)]) U L(H)[aXu\ 

Remark 3. In the previous definition, the equation R(XH) = A R(H) actually 
means, since R(H) is a set of terms, R(XH) = {Xt / t £ R(H)} and similarly 
for R(crH) = aR(H). 

Example 2. 

arg([4/0, j]«2)A3 0)) = {[4/0, j\ (2) A3, [4/0, j]0} 
arg([2/0, j][0/u, 2]()0) = {[2/0, j]u} 

Lemma 3. — Let t = H[0], Then r (f) can be uniquely written as if[s0] where 

K is pure. 

— Let t = H[(aXu u)]. Then r(f) can be uniquely written as K[((k)sXu Ui)] 
where K is pure. 

Proof. Straightforward. □ 

Definition 7. Let s € S be a substitution, we define s + £ S and s^ £ T as 
follows: 

— s+ is defined by: 0 + = 0 and ([*/«, j]s) + = [i + 1 /u,j]s + . 

— S"*" is defined by: 0^ = 0 and (s[i/u, /])■*• = su if i = 0 and S"*" otherwise. 

Definition 8. Let t be a term in T. The head reduct oft (denoted as hred(f)/ 
is defined as follows: 

— If t = iL[0] and r (t) = K [sO] then hred(£) = A'fs-*-]. 

— Ift = H[(aXu u)] andr(t) = K[((k)sXu wi)] then hred(£) = K[[0/vi,k]s + u]. 
Example 3. With terms as in the previous example, we have: 

hred([4/0, j]«2)A3 0)) = [0/[4/0, j]0, 2] [3/0, j]3 
hred([2/0,j][0/v,2]()0) = 2 

Theorem 3. Let t £ T be such that arg(f) C SN. 

1. Assume t — t! and t' £ SN. Then t £ SN. 

2. Assume hred(£) £ SN. Then t £ SN. 

3.2 Proof of Theorem 3 

We first need some notations and lemmas. 

Notation 4 1. If t £ SN, r)(t) is the length of the longest reduction starting 

from t and i)o (f) is the maximum number of b or n steps in a reduction 
starting from t. 
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2. The complexity of a term t (denoted by cxty(t)) is defined by: cxty(*) = 
cxty( 0) = 0, cxty(Xt) = cxty(Qt) = cxty(t) + 1, cxty((t t')) = cxty(t) + 
cxty(t') + 1 and finally cxty([i/t' ,j]t) = cxty(t) + cxty(t') + i + 1 . 

Note that the unusual definition of cxty{[i/t' , j]t) is due to the fact that 
cxty((k)) = k. It ensures that cxty([i/u,j]) > cxty((i)u) and thus, except for 
t = 0 , cxtyfu ) < cxty(t) for any u £ arg(f). 

Lemma 4. Let H be an head context, u be a term and w £ arg(7J[w]). Then, 

— either w £ R(H), 

— or w = L(H)[v\ for some v £ arg(w), 

— or H is not an i-context, u = a Xu' and w = L(H)[u]. 

Proof. Straightforward. □ 

Lemma 5. Let H £ C be pure. 

1. If t = H[u] £ SN and s £ SN, then H[[0/u, j]s + 0] £ SN. 

2. If t = H[[0/v, fc]s + w] £ SN, then H[((k)sXu u)] £ SN. 

Proof. By induction on y(t) + y(s + 0) for (1) and 77 (f) + cxty(s) for (2). □ 

Lemma 6 . Let K be an head context. Assume that 

— either k > i + j and w = [i/[k — i/v,l]u,j][k — j + 1 /v,l\K — >■* w± = 
mo/ik - i/v,l]u,j]sf*] 

— or i < k < i + j and w = [ i/[k — i/v, l]u, k + j — 1}K —>■* w 1 = K\ [[0/[fc — 
i/v,l\u,j}sf*\. 

Then, there is an head context K 2 such that [■ i/u,j)K —>■* K 2 HO/U, and 
[k/v,l\K 2 [[0/u,j 2 }s^*} ->* W!. 

Proof. By induction on the length of the reduction w —>■* w\. □ 

Lemma 7. Assume w = [i/u,j]Ki[[k/v',l\K 2 ] —>* w\ = K 3 [[0/u, j]s + *] and 
v v 1 . Then, [i/u,j]Ki[[k/v,l]K 2 ] ->* K 4 [[ 0 /u,j]sf*\ -»* K 3 [[0/u,j]s + *] for 
some K 4 , S\ . 

Proof. By induction on the length of the reduction w — w\. □ 

Lemma 8 . 1. Assume t = H[{aXu n)] — to = Ho[((ko)Xuo no)]. Then, there 

is a term fi = Hi[((ki)siXu t>i)] such that t — >■* 1 . 1 — >* to. 

2. Assume t = H[ 0] — >* to = Ho[[0/uo, joJsq’O]. Then, H can be written 
as K[[i/u, j]Ko\ such that [i/u,j\Ko K[ = JsTi[[0/u, j]s + *] and t\ = 
K[K[][ 0] t 0 . 

Proof. First note that we should be a bit more precise in the terms of the lemma: 
we implicitly assume that the potential 6 -redex (resp. n-redex) at the end of the 
left branch of f is not reduced during the reduction f — >* to. The lemma is proved 
by induction on the length of the reduction f — >■* to- We give some details only 
for (2). They are similar and simpler for (1). 

The result is clear for t = f 0 . Assume t — t 0 . By the induction hypothesis, 
H — > Hi = K[[i/u,j]Ko\ for some K,u,K 0 such that [i/u,j]K 0 — >(. K[ = 
Ad[[0/w, j]s + *] and t\ = A'[A'(][0] — >* to- H can be written as K 3 [[i/ui,ji]K 2 ] 
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— if K 3 — > I\ or Mi -> it the result is trivial, 

— if K 2 = (* v) and K = K 3 [(* [i/u,j]v)\ the result is trivial, 

— if [i/u,j\K 2 — > r [i/u, j)K 0 the result is trivial, 

— if K 2 —1 Kq but the reduction is not an r-reduction, the result follows from 
lemma 7, 

— if K 3 = K[[k/v,l\*\ and, either [i/u,j] = [i/[k — i/v, l\u\, j±\ and Kq = 

[k - j 1 + 1/v, l]K 2 ], or [i/u,j] = [i/[k - i/v , l]m,l + ji - 1]] and K 0 = K 2 , 
the result follows from lemma 6. □ 

Lemma 9. 1. Assume t\ = Vi)] — >* to = Ho[((ko)Xuo i>o)]. Then, 

Hi[[0/vi,k 1 ]s//iii] -t* H o [[0/v o , fc 0 ]uo] where r(cri) = (fci)si. 

2. Assume t\ = Hi[[0/u\, ji]s^"0] — >* to = i7o[[0/uo,io]' s j0]- Then, Hi[u\\ — >* 

Ho[u 0 ]. 

Proof. By induction on the length of the reduction t\ — >* to- Look at the first 
reduction. Note that there is no simple relation between the original and the 
resulting reduction sequence and, in particular, the latter may be longer than 
the original. □ 

Lemma 10. 1. Assume H[(<7 Xu v)\ — >■* to. Thento has the form Ho[(croXu vq)\ 

and H[[0/v,k]s + u] —>■* -ffo[[0/fO) fco]s^u] where r(cr) = ( k)s and r(ero) = 
(ko)s 0 . 

2. Assume Hq[0/u, jJsJO —>■* to- Then to has the form Hi[[0/ui, Ji]s^0] where 
Ho — ^ -Hi[s 2 *] for some s 2 such that S 2 [ 0 /rt, j]sj —>■* [0/iti, ji]s^. 

Proof. Straightforward. □ 

Lemma 11. Let K be an i-context. Then, K £ SN iff I(K) £ SN and, in this 
case, rio(I(K)) < r/ 0 (I < )■ 

Proof. This follows immediately from the following result. Let K be an i-context, 
then: K[[i/u,j]*\ £ SN <^> K[(i)u] £ SN and, in this case, rjo(K[(i)u]) < 
rjo(K[[i/u,j]*]). 

=> Prove, by induction on ( r](t),cxty(K )) that if t = K[s[i/u,j}*\ £ SN then 
K[d(s, i)u] G SN where d(s, i) is the result of moving down s through ( i ). It 
is enough to prove that, if K[d(s,i)u] t' then t! £ SN. This is done by a 
straightforward case analysis. 

4= This is proved by showing that to any sequence of reductions of t' = K[(i)u\ 
corresponds a sequence of reductions of t with the same b or n steps. Define 
for s £ S, S(s) £ Z by: <5 (0) = 0 and S([k/v, Z]s) = <f(s) + l — 1. 

We show that, to a term of the form K’[(i!)u'] coming from t' corresponds, 
for some s such that d(s) < i', the term I\'[s[i' — 5(s)/u',l]*} coming from 
t. This is done by a straightforward case analysis. For example, if t' — >■* 
K'[[k/v, l}(i')u'] — > K'[{l + i' — l)w'] then t, — >* K'[[k/v,l\s[i' — 5(s)/u' ,l\*\ = 
K'[s'[i' — 5(s')/u' ,l\*\ where s' = [k/v,l\s. 

It is important to note that the result on rjo would not be true with This is 
essentially because [k/v,l\ can always go through (i) whereas [k/v,l] cannot 
move down in [i/u,j\ if k < i. □ 
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Lemma 12. Let t £ T be such that arg (t) C Sl/V and t SN. Then, 

1. If t = H[(aXu v)], there is a term t,± = Hi[((k\)siXu t>i)] such that t — >* t± 
and Hi[[0/vi,ki]sfu] t/L SN. 

2. If t = 1J[0] there is a term t\ = K[Ki[[0/u, j]s^“ 0]] such that t — >* t\, t can 
be written as K[[i/u, j].Ko][0] and A'fAdJIzz] ^ SN. 

Proof. 1. Since arg (t) C SN, the potential Aredex must be reduced in an infi- 
nite reduction of t and thus such a reduction looks like: t — >* H 0 [{(ko)Xuo wo)] 
—> Hq [[0 / vq , k 0 }u 0 \ — h.. and the result follows from lemmas 8 and 9. 

2. Since arg(t) C SN and thus, by lemma 11, H £ SN, an infinite reduction 
of t looks like: t — >* Ho[[0/«o> jo]so 0] — > H 0 [uq] — >... and the result follows 
from lemma 8 and 9. □ 

Proof of theorem 3 

1. By induction on (r/ 0 (t'),cxty(t)). Note that the proof is by contradiction. We 
tried to find a constructive proof but we have been unable to find a correct 
one. 

— Assume first t = H[(aXu w)] and t $. SN. By lemma 12, let t — >* 
t 0 = H 0 [((ko)soXu wo)] be such that t\ = Ho[[0/vo, fco]so w] ^ SN. By 
the confluence of — *■*, let t' 0 be such that t' —>* t' 0 and to — t' 0 . By 
lemma 10 with the reduction to — >* t' 0 , t' 0 = H'[(a'Xu z/)]. Let t\ = 
H'[[0/v',k']s' + u] where r(cr') = (k')s'. Then yoif'i) < Vo(t') and, by 
lemma 10, t\ — >* t\ . It is thus enough to show that arg (tf) C SN to get 
a contradiction from the induction hypothesis. 

Let W\ £ arg(ii). By lemma 4, either W\ £ arg(f 0 ) and the result is 
trivial or Wi = L(H 0 )[[ 0/vo, fco] s o w ] for some w £ arg (u) or H is not an 
z-context and w i = L(Hq)[[0/vo, fco]so’u]. 

Since the second case is similar, we consider only the first one. Let 
a = L(H)[(aXw w)] and a' = L(H')[(a'Xw z/)]. Then, a — >■* a' and 
770(0') < Vo(t') (use lemma 11 for the difficult case, i.e. when u = K[ 0] 
and w = I(L(K))). If it is not the case that H is an z-context and 
u = 0, then cxty(a) < cxty(t) and, by the induction hypothesis, a £ SN 
and the result follows since a — W\. Otherwise, the result is triv- 
ial since it is easily seen (by induction on ( r](H),cxty(H ))) that, if 
t = H[(aX0 w)] (where H is an z-context), r(cr) = (k)s and arg(f) C SN, 
then H[[0/v, fc]s + 0] £ SN. 

— Assume t = H[0] and t ^ SN. By lemma 12, let t = K[[i/u,j)K 0 ][0) — >■* 
t 0 = K[H 0 \[[0/u, j]sg 0] be such that ti = K[H 0 \[u] SN. By the 
confluence of — >*. let t' 0 be such that t' — >■* t' 0 and to — *■* t' 0 . By lemma 10 
with the reduction to — >* t' 0 , t' 0 = H'[[0/u' ,j']s ,+ 0\ where K[H 0 ] — >* 
H'[si*\ for some Si such that si[0/iz, jjsj — >* [0 /u',j']s' + . Let tf = 
H'[u']. Then r/o^) < Vo(t') and, by lemma 10, t\ — t[. It is thus 
enough to show that arg(fi) C SN to get a contradiction from the 
induction hypothesis. 
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Let wi £ arg(ii). By lemma 4 either w\ £ arg(to) and the result is trivial 
or w\ = L(K[H 0 ])[w\ for some w £ arg (u) or H is not an i-context and 
wi = L(K[H 0 ])[u]. 

Since the second case is similar, we consider only the first one. Let a = 
L(K[[i/w, j]K 0 ])[ 0]. Since spu —>■* u' , it is easy to find w' such that 
S\W —>■* w' and, letting a' = L(H')[[0/w' , j']s' + 0\, a — >* a' and 770 ( 0 ') < 
770 (t!) (use lemma 11 for the difficult case, i.e. when u = A'[0] and w = 
I(L(K))). Since cxty(a) < cxty(t) (except if H is an j-context and u = 0 
but in this case again the result is trivial), by the induction hypothesis, 
a £ SN and the result follows since a — >* w\. 

2. This follows immediately from (1) and lemma 5. □ 

4 Strong Normalization for S 

Theorem 5 below has first been proved in [7] by Di Cosmo & al. It is of course 
a trivial consequence of theorem 7 of section 5. However, the proof presented 
below is interesting in itself because it is purely arithmetical whereas the one of 
section 5 is not. 

Theorem 5. Typed terms of T are strongly normalizing. 

Proof. By induction on extyff). The cases t = 0, t = \t' and t = Qt' are 
immediate. The case t = [i/u,j]t' follows immediately from theorem 6 below. 
The remaining case is t = (u v). By the induction hypothesis, u and (0 (l)u) are 
in SN. Thus, by theorem 6, [0/u, 0](0 (l)v) € SN and since [0 /u, 0](0 (l)u) — >* t 
it follows that t £ SN. □ 



Theorem 6. Assume u,t £ T C\ SN. Then [i/u,j]t £ SN. 

Proof. We prove the following. Let u £ T D SN. Then, 

(1) If t' £ T fl SN, then [i/u, j)t' £ SN. 

(2) If H £ C fl SN is pure, then H[u] £ SN. 

This is done by simultaneous induction on (type{u) , ijo(v) , cxty{v) , r]o(u)) where 
typefu) is the number of — > in the type of u and v = t' for (1) (resp. v = PI for 
(2)). The induction hypothesis will be denoted by IN. 

1. t = [i/u,j]t'. The fact that arg(t) C SN follows immediately from the IN. 
By theorem 3, it is thus enough to show that hred(f) £ SN. 

(a) If tl = H[(a\vi W 2 )]: since ? 7 o(hred(t')) < rjo(t'), it follows from the IN 
that [i/u, j]hred(f') £ SN and the result follows since [i/u, j]hred(f') — >* 

hred(t). 

(b) If t' = H[0]: let r(f') = iL[sO]. 

• If s"*" ^ 0: since 77 0 (hred(f')) < ?7o(t'), it follows from the IN that 
[i/u, j]hred(t') £ SN and the result follows since [i/u, jjhred(t') — >■* 
hred(t). 
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• Otherwise, let r(t) = K'[s'Q\. If s'"*" = 0 the result is trivial. Otherwise 
s 4 _ u ' f or some v ' suc h that u —>* u' and thus t\ = hred(i) = 
K'[u']. If K' is an z-context the result is trivial. Otherwise K' = 
H'[((k)* t 0 )}. Then t\ = H'[((k)u' to)]- It is clear that arg^) C SN. 
It is thus enough to show that hred(fi) £ SN. 

* If v! = {k')Xu' 0 and thus hred(ti) = H'[w] where w = [0/to, k + 
k']u' 0 . Since type(to) < type{u), by the IH , w £ SN. By the IH , 
H'[w] £ SN since type(w ) < type{u). Note that, here, we use 
(2). 

* Else hred(ti) = i/'[((/c)hred(u') to)] = hred([z/hred(«'), j]f). 
If v! — > + hred(zz'), the result follows from the IH. Otherwise, 
the result is trivial. 

2. t = H[u). If H is a z-context, the result is immediate. Otherwise, H = 
H'[((k)* t')] . It is clear that arg(t) C SN. It remains to prove that hred(t) £ 
SN. 

(a) If u = a\u': then hred(t) = r(H')[[0/t' ,k+ k']s + u'] where r(cr) = (k')s. 
Since u £ SN, s + u' £ SN. By the IH since type(t') < type(u ), [0 /t',k + 
k']s + u' £ SN. Finally hred(t) £ SN since type([0/t', k + k')s + u') < 
type(u). 

(b) Otherwise hred(t) = Jt[hred(u)]. If u — hred(zz) the result follows 

from the IH and otherwise the result is trivial. □ 



Remark /. We need (2) in the proof of (1) for the following reason: we cannot 
always find H' and i,j such that [i/v,0]H'[(j)0] — >* H[v). By choosing i large 
enough and j conveniently it is not difficult to get [i/v,0\H[(j)0\ — >* H[(j)v] 
but we do not know how to get rid of (j). This is rather strange since, in the 
A-calculus, this corresponds to the trivial fact that ( u v) can be written as 
(x v)[x := u\ where x is a fresh variable. 

5 Strong Normalization for T 

The proof uses the same lines as the one for the (ordinary) A-calculus. We first 
define the candidates of reducibility and show some of their properties. Then, 
we define the interpretation of a type and we show that if t has type A then t 
belongs to the interpretation of A. 

Definition 9. 1. If X and Y are subsets of T , X Y denotes the set oft 

such that, for all u £ X, (t u) £ Y. 

2. The set C of candidates of reducibility is the smallest set which contains SN 
and is closed by — ► and intersection. 

3. Nq is the set of terms of the form (0 u\...u n ) where Ui £ SN for each i. 
Lemma 13. Assume C £ C. Then, N 0 cCc SN. 

Proof. By induction on C . □ 
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Definition 10. An interpretation I is a function from V to C. I is extended to 
T by: |a|j = 1(a), \ A ->• B |/ = |A|/ -* \B\i and |Va.A|j = flcec \ A \i{<*—C} 
(where J = I{a := C} is such that J(a ) = C and J(/3 ) = I(j3) for j3 ^ a). 

Definition 11. — Let iio, . . . ,u„-i be a sequence of terms. We denote by [■ i/u } 

the substitution [ i/uo , 0] [i + 1/ui, 0] . . . [i + n — l/« n _i, 0] . 

— For r = Aq, ..., A n -i, u £ \rh means that Ui £ \Ai\i for all i. 

— A substitution s is regidar if it is of the form [i/u] and Ui £ SN for each i. 

Lemma 14. Let w be a sequence of terms in SN, s € S' be regular and C £ C. 
Assume either t' —>* t or If = [0/t, j]s + 0 or tf = ( sXu v ) and t = [0/f,0]s + M. If 
( t w ) £ C, then ( t' w) £ C. 

Proof. By induction on C. The case C = SN follows immediately from theo- 
rem 3. The other cases are straightforward. □ 

Lemma 15. | A{a := B}\i = |^4|/{ a :=|,B|j} and thus |^4|/{ a :=B} = \A\i if a A. 
Proof. Straightforward. □ 

Lemma 16. Let I be an interpretation. Assume T h t : B and u £ |T|/ then 
[0 /u]t£ \B\!. 

Proof. By induction on f h t : B. For simplicity, we write |A| instead of \A\i. 
Assume u £ |P| and look at the last rule used in the typing derivation: 

— rule Ax: 

A,T\- 0 : A 

Let v £ |A|. By lemma 13, v,u £ SN and the result follows from lemma 14. 

— rule — >p. 

A, P \- t : B 
rh Xt: A B 

Let v £ |A| and w = ([0/w]Af v). By the IH , [0/u, 0][l/u]t £ \B\ and the 
result follows from lemma 14. 

— rule — > e : 

r£t:A^B r \- v : A 
r \- (tv) : B 

By the IH, [0 /u]t £ \A — > B\ and [0 /u\v £ |A|. Thus ([0 /u]t [0/u]u) £ \B\ 
and the result follows from lemma 14. 

— rule Weak: 

r \- t : A 

B, T\- ()t : A 

Let v £ \B\. By the IH [0 /u]t £ |A| and the result follows from lemma 14. 
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— rule Cut: 



r,A,$\-t:B A,$\~v:A 
r,A,0\- [i/v,j]t : B 



where i = ||/ n || and j 



Pll 



Let Mi G \A\, u 2 G |^| and w' = [Q , u][i / U\][i + j / u 2 ][i / v , j]t. By the IH (on 
the second premise), [0/iti] \j/u 2 \v G |A|. By the IH (on the first premise), 
w = [0/M][i/[0/Mi][j/M2]n,0][i + l/u 2 ]t G \B\. Since w' — >■* w, The result 
follows from lemma 14. 



— rule V): 



r\- t : A 

r h t : Va.A 



if a (jLP 



Let C G C. Since a ^ r, by lemma 15, u G \r\i{ a .—c) an d thus, by the IH , 
[0/M]t G |7t|/{ a: =c}- It follows that [0/m]£ G |Va.zl|/. 

— rule V e : 

r b t : Ma.A 
r\-t: A{a := B} 



By the IH , [0/m]£ G \ia.A\i and thus [0/m]£ G \A \ I { a:= | B | f } = \A{a := B}\j 
(by lemma 15). □ 



Theorem 7. Every typed term is strongly normalizing. 

Proof. Assume P b t : B. By lemma 13, 0 G |P| and thus, by lemma 16, 
[0/O]f G \B\. By lemma 13, [0/O]f G SN and thus, since SN is closed by sub- 
terms, t G SN. □ 
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A Appendix 

The set of terms and the reduction rules of the original calculus of [4] are: 
Terms 

T = n\ XT \{TT)\ ( k)T \ [i/T, j)T where n, k, i,j £ N. 

Rules 



b\ ( Xtu ) — > [0/m, 0]t 

62 (( k)\tu ) — > [0/m, k]t 

l [i/u,j]Xt — > X[i + l/u,j]t 

a [: i/u,j](tv ) — >■ {{[i/uj]t) ([ i/u,j]v )) 

e i [i/u,j]{k)t — ■> O' + k - 1 )t, 

e-2 [i/u,j}(k)t — ( k)[i - l/u,j]t 

ni [i/u,j]n — > n 

ri2 [i/u,j]n — > (i)u 

n 3 [' i/u,j]n — > n + j - 1 

ci [i/u,j][k/v, l]t — > [k/[i - k/u,j]v,j + l-l]t 

C2 [i/u,j][k/v,l]t — > [k/[i - k/u,j]v, 1 } [i - l + l/u,j]t 

m (*) (j)t — >{i + j)t 



i < k 
k <i 
n < i 
n = i 
i < n 

k < i < k + l 
k + l < i 
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Abstract. Gire and Hoang introduce a fixed-point logic with a ‘symmet- 
ric’ choice operator that makes a nondeterministic choice from a definable 
set of tuples at each stage in the inductive construction of a relation, as 
long as the set of tuples is an automorphism class of the structure. We 
present a clean definition of the syntax and semantics of this logic and 
investigate its expressive power. We extend the logic of Gire and Hoang 
with parameterized and nested fixed points and first-order combinations 
of fixed points. We show that the ability to supply parameters to fixed 
points strictly increases the power of the logic. Our logic can express the 
graph isomorphism problem and we show that, on almost all structures, 
it captures P GI , the class of problems decidable in polynomial time by a 
deterministic Turing machine with an oracle for graph isomorphism. 



1 Introduction 

Descriptive complexity classifies problems according to the richness of the log- 
ical language required to describe them, offering a view of complexity that is 
independent of any machine model. Fagin’s result that the problems describ- 
able in the existential fragment of second-order logic are exactly those in NP 
[Fag74] invites the natural question of whether there is a logic for P. First-order 
logic can only express queries of low computational complexity. This is because 
it is unable to express many fundamental algorithmic tools such as iteration, 
counting, arithmetic and the selection of a single element with some property. 

Fixed-point logics such as LFP and IFP address the first of these deficiencies. 
With the proviso that every structure be equipped with a linear ordering of its 
vertices, these logics capture the class P [Imm86,Var82]. (A logic C is said to 
capture a complexity class C if every problem in C is definable by a formula in C 
and the problem of evaluating ^-formulae is, itself, in C.) Given a linear order, 
iteration allows counting, arithmetic and choice to be performed. The successive 
elements of the ordering can be used to simulate numbers and choice from a set 
can be achieved by taking the element that is least according to the order. 

The imposition of an extrinsic linear ordering is undesirable as it allows the 
expression of queries such as, ‘there are no edges to the last vertex in the graph,’ 
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which is as much a property of the ordering as it is of the graph. A compromise 
would be to allow only those queries which are invariant under changes to the 
ordering but this attempt fails because the set of formulae giving rise to order- 
invariant queries is undecidable. In the absence of a linear order, LFP and IFP 
cannot express simple counting properties like the parity of a set. 

The ability to count alone does not suffice as first-order logic with counting 
quantifiers cannot define the class of connected graphs. However, the combina- 
tion of inflationary fixed points and counting is a widely-studied and reasonably 
powerful logic. Immerman had conjectured that IFP + C would capture P but 
this was refuted by Cai, Fiirer and Immerman [CFI92]. Nonetheless, the logic 
does capture P on many classes of graphs, such as trees [IL90], planar graphs 
[Gro98], and graphs of bounded tree width [GM99] or genus [GroOO]. 

In [DR] , we considered the combination of fixed points and nondeterministic 
choice, extending the work that appears in [AB87,GH98]. Iteration with choice 
can be used to construct a linear order on the universe of a structure but, in 
general, formulae are nondeterministic: they define sets of relations rather than 
single relations. The queries defined by deterministic formulae (those defining a 
single relation) are exactly P but this set of formulae is undecidable so cannot 
reasonably be called a logic. We also considered several notions of satisfaction for 
nondeterministic formulae and showed that the resulting logics capture a wide 
range of complexity classes including NP and co-NP. 

Assuming that P ^ NP, unrestricted choice is, therefore, too powerful to 
capture P. In [GH98], Gire and Hoang consider a combination of fixed points 
and symmetric choice, a restriction in which choices may be made only from 
automorphism classes of the structure on which the formula is being evaluated 
(that is, sets in which every pair of elements is exchanged by some automor- 
phism). They define a fixed-point operator that takes as arguments formulae ip 
and il). At each stage in evaluating the fixed point, i/) defines a set of tuples, the 
choice set. If this set is an automorphism class, one tuple is nondeterministically 
chosen from it; otherwise, no tuple is chosen. The chosen tuple (or lack of such) 
is then used by ip to add tuples to the relation being constructed. 

This fixed-point operator is ‘semideterministic’: while an induction may still 
define a set of relations, these relations are pairwise isomorphic. This allows the 
definition of a logic that we call SC-IFP. This is still not a serious candidate for 
capturing P as, even if it were shown to express all polynomial-time properties, 
evaluating formulae requires testing that sets are automorphism classes and there 
is no known polynomial-time algorithm for doing this. 

Gire and Hoang deal with this problem by defining a sublogic in which the 
fixed-point operator takes as an argument an extra formula that is supposed to 
provide a witness automorphism for each pair of tuples in the choice set; if the 
witness formula does not show that the choice set is an automorphism class, no 
element is chosen. This guarantees that formulae can be evaluated in polynomial 
time while maintaining semideterminism of the fixed-point operator. It is this 
logic (or, rather, its closure under an operator that performs interpretations 
between structures) that Gire and Hoang show to be strictly more expressive 
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than IFP + C while still defining only polynomial-time properties. While it seems 
unlikely that this logic captures P, this remains to be proved. 

In this paper, we concentrate on SC-IFP. Showing that there are polynomial- 
time properties not definable in this logic would settle the status of the sublogic 
and, with this aim in mind, we investigate the power of SC-IFP. The logic we 
define is broadly similar to that of Gire and Hoang but there are some important 
differences in the syntax (we allow parameterized and nested fixed points) and 
semantics (Gire and Hoang require the choice set to be an automorphism class 
of the structure; we require it only to be an automorphism class up to those 
relations mentioned in the formula). In particular, we show that the ability to 
supply first-order parameters to fixed points strictly increases the power of the 
logic. This is significant as it involves the first inexpressibility result for SC-IFP 
and the usual techniques for proving such results (embedding into infinitary 
logics or using games) seem to be unavailable. We proceed by choosing a class 
of structures on which the parameterless fragment is weak. 

The expressive power of SC-IFP is closely related to the graph isomorphism 
problem, GI, which it can express. GI is clearly in NP (guess a mapping between 
two graphs and check that it is an isomorphism) but not known to be either NP- 
complete, in P or even P-lrard. There are, nonetheless, many results concerning 
the complexity of this problem. For example, it is known to be NL-lrard under 
logarithmic space reductions [TorOO] and it is unlikely to be NP-complete as, if it 
were, the polynomial hierarchy would collapse at its second level [BHZ87,Sch88]. 

Our main result is that, on almost all structures, the closure of SC-IFP under 
first-order reductions captures P GI , the class of problems decidable in polynomial 
time by a Turing machine with an oracle for GI. In particular, it captures P GI 
on any class of structures on which IFP + C captures P. Independent of GI, it 
is known from [GH98] that the logic is strictly more expressive than IFP + C. 

The rest of this section contains background definitions. SC-IFP is introduced 
in Section 2 and we discuss the effects of allowing parameterized definitions in 
Section 3. In Section 4, we investigate the expressive power of the logic. 

Preliminaries. All structures in this paper are finite and all vocabularies are 
finite and purely relational, though constant symbols are omitted for notational 
convenience only. We write |2l| for the universe of structure 21 and ||2l|| for the 
cardinality of |2l|. 

Classes of structures are assumed to be isomorphism-closed: if a structure is 
in a class, all images of that structure under isomorphisms are in the class. If C is 
a class of structures, a k-ary query Q on C maps each structure 21 € C to a fc-ary 
relation on |2t| such that if p : 21 — > © is an isomorphism, Q(Q3) = p{Q{ 21)). 
The case k = 0 is known as a boolean query, 0 represents false and { ( ) }, the 
relation containing the unique empty tuple, represents true. A boolean query Q 
on a class C may be associated with the class {21 G C : Q{ 21) is true }. 

A query Q on a class C of structures is C-deftnable for some logic C if there is 
a formula p € £ such that = Q(2l) for all 21 € C. We write £\ < £■2 if every 
£i-definable query is also /^-definable and £\ = £2 if £\ ^ £2 and £2 ^ £\- 
We denote by £ k the fragment of first-order logic in which no formula contains 
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more than k distinct variables and we assume familiarity with the conventional 
fixed-point logics LFP and IFP and with logics with counting. See [EF99] for an 
introduction to these topics. 

2 Symmetric Choice 

In this section, we introduce the sc-ifp fixed-point operator and establish some 
of its basic properties, sc-ifp takes two operands, respectively the induction 
formula and the choice formula. We consider the fixed point as being built up 
in a series of stages. At each stage of evaluation on some structure 2(, the choice 
formula is evaluated to produce a set of tuples, the choice set. If the choice set is 
an automorphism class of 21, one of its tuples is nondeterministically chosen; if it 
is not, no element is chosen. The induction formula is then evaluated using the 
chosen tuple, if any, along with the relation built up so far to define the tuples 
to be added to the relation being constructed. 

To avoid circularity of definition, we define the operator to take a general 
class of maps from relations to relations as its arguments. We also introduce 
parameters to the definitions from the outset as the definitions are more sensi- 
tive to parameters than the definitions of conventional fixed-point logics. This 
complicates the definitions a little but the reader may treat all tuples of param- 
eters as empty at a first reading. Throughout, we use the notation 5 to denote 
variables that are treated as parameters. 

On a structure 21 and for any interpretation of the r- ary relation X and 
the n-tuple of parameters z, a formula <p(X,xz), where \x\ = r, defines an r-ary 
relation. We can, therefore, associate with ip a map / a : |2l| ra x'P(|2l| r ) — > 7 : ’(|2l| r ') 
and we shall define our operator in terms of maps such as this. 

Definition 1 . Let 21 be a structure and let X and Y be new relation symbols of 
arity r and s, respectively. A pair of maps / a and g % is appropriate for X and 
Y on 21 if: 

— both have domain |2l|” x 7 => (|2l| r ') x / P(|2l| s ); 

— / a has range 7 , (|2l| r ) and g % has range V{\%\ s ); 

— for any fixed a £ |2l|" and interpretations for X and Y in 21, / a (a, X, Y) 
and g®(a,X,Y) are invariant under any automorphism of (21, X, Y, a) . 

To cope with parameterized definitions, we need to restrict attention to au- 
tomorphisms that fix the interpretations of the parameters and we define au- 
tomorphism classes appropriately. This is a technical condition which we will 
explain in Example 7 after we have defined the sc-ifp operator. 

Definition 2. Let 21 be a structure and n,s £ N. For a tuple a £ |2l| n , an a- 
respecting automorphism class of |2l| s is a maximal set C C |2l| s such that, for 
all b,c £ C, there is an automorphism p of 21 such that p(a) = a and p(b) = c. 

Definition 3. Let Vi be a structure and let /' a and g 21 be maps appropriate for 
new relation symbols X and Y on 21. For any fixed tuple of parameters a £ |2l| n , 
let Tjg a be the least tree with the following properties: 




A Fixed-Point Logic with Symmetric Choice 



173 



— the root is labelled (0,0); 

— if g^(d, R, S) is a non-trivial d-respecting automorphism class of (21, R, S) , 
a node labelled ( R, S ) has a child ( R U / a (a, R, { s }), { s } ) for each s £ 
g*(a,R,S); 

— otherwise, a node labelled ( R,S ) has a child labelled ( R U /(a, R, 0), 0 ). 

Call a path in 7^° R-dense if infinitely many of its nodes have R as the first 
component of their label and define sc-ifp (/ a g % )(a) to be the set of relations 
R for which there is an R-dense path in the tree. 

The tree is equivalent to a nondeterministic computation. At each stage, if 
the map g 21 defines a single automorphism class of 21, an element of that class is 
nondeterministically chosen and fed into the map / 21 to generate the next stage. 
Of course, there is no guarantee that the process defines a unique relation. 

Example 4- On a pure set 21, consider the maps / a and defined by 

ip(X,Y,x xx 2 ) = Y(x 2 ) A (aq =i 2 V -V(aqaq)) 
if(X,Y,y) = ^X( yy ), 

respectively, sc-ifp (/ a </ a ) defines the set of linear orders on |2l|. Initially, the 
relations X and Y are empty. At the first iteration, if defines the whole of |2l|, 
which is an automorphism class of the structure (|2l|,X, Y) so an element is 
nondeterministically selected — call it ‘1’ — and we set Y = { 1 }. We then add 
to the relation X all tuples satisfying tp. In this case, there is just one such tuple, 
11. At the second iteration, if defines all members of |2l| other than 1. So long as 
21 is not a singleton, this is an automorphism class, so an element that we shall 
call ‘2’ is nondeterministically selected and Y is set to {2}. Now is satisfied 
by the tuples 12 and 22 and these are added to X. At each subsequent stage, 
the choice set contains all elements that have not yet been ordered. If this set 
is non-empty, it is an automorphism class so one unordered element is selected 
to be the new maximal element of the ordering. Once all elements have been 
ordered, the choice set will always be empty so no more tuples will be added. 

Although Definition 3 refers to labels occurring infinitely often in infinite 
trees, on a finite structure 21, we need consider only a finite portion of the tree. 

Lemma 5 (Finite Evaluation Lemma). Let 21 £ STRUC[(j] and a £ |2l| n . 

There is an R-dense path in sc-ifp (/ a g a )(a) if and only if there is an S such 
that (R, S) labels two nodes on a path in the tree between depth d and 2d, for 
some d bounded by a polynomial in ||2l||. □ 

This follows from the finiteness of 21 and the fact that if ( Ri, S t }j^o labels a 
maximal path in the tree, Ri C R i+ 1 C |2[| r for some r and ||S)|| ^ 1 for all i. 
We omit the details as the proof is identical to that of Lemma 17 in [DR]. 

While sc-ifp does not, in general, define a unique relation, the relations de- 
fined by an application are pairwise isomorphic: the operator is semideterministic 
in the terminology of Gyssens, Van den Bussclre and Van Guclrt [GVV94]. 
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Proposition 6. If R,R' G sc-ifp (/ a g a ) then (21, R) = (21, R'). 

Proof. We show that, whenever {R,S) and ( R',S ') label nodes at depth d in 
the tree, (21, R, S) = (21, R! , S'). For d— 0, this is trivial. 

Suppose {R,S) and ( R’,S ') label two (not necessarily distinct) nodes at 
depth d and that the former has a child labelled ( T,U ) and the latter a child 
labelled ( T',U '). By the inductive hypothesis, there is an isomorphism p : 
(21, R, S) —> (21 ,R',S'). (We assume that all isomorphisms and automorphisms 
mentioned in this proof fix any first-order parameters to the maps.) 

Since g 21 is invariant under automorphisms, it defines an automorphism class 
on (21, R , S) if, and only if, it does on (21, R' , S'). If it does not define an auto- 
morphism class, U = U' = 0. If it does, we have U = { u } and U' = { u' } and 
there must be an automorphism a of (21, R , S) such that p(a(u)) = u' . In both 
cases, (21, R, U) = (21, R', U'). 

Since /' a is invariant under automorphisms, it follows that (21, T, U) = (21, RU 
/ a (a, R, U),U) = (21, R' U / a (a, R' , U'), U') = (21, T', U'). □ 

The restriction to automorphisms that fix parameters is necessary in order 
to guarantee semideterminism. This is illustrated by the following example. 

Example 7. Consider a pure set 21 with at least two elements and the maps / a 
and g 21 defined, respectively, by the formulae 

<p(X, Y, xz) =Y(x) V x — z and tf>(X, Y, x) = true, 

treating z as a parameter to ip. Fix an interpretation a G |2t| for z. Initially, 
X and Y are both empty. At every iteration of the fixed point, if defines the 
whole of the set. At the first iteration, this is an automorphism class of the 
structure ( |2l|, X, Y ) so some element ‘6’ is nondeterministically chosen and Y 
is set to {&}.</? is now satisfied by b and a (which are not necessarily distinct) 
and these elements are added to X. At subsequent iterations, the structure 
( |2l| ,X,Y) is not a single automorphism class so nothing more will happen: 
no more elements will be chosen and no more elements will be added to X. 
Therefore, sc-ifp (/ a g a ) contains the relation {a} and the relation {a, 6} for 
each b ^ a G |2t| : these relations are not isomorphic to each other. 

We may use the sc-ifp operator to define a deterministic logic but, in doing 
so, we need to be careful. Since the semideterminism of the operator guaran- 
tees that the relations defined are isomorphic to each other, a sentence such 
as 3 xR(x), where the variables occurring in an atomic formulae involving R 
are quantified, is either true in (21, R) for all R G sc-ifp (/ a g a ) or false for all 
of them. However, suppose the formula of Example 4 is evaluated in a graph 
G = (V,E). The relation E does not appear in the formula, but the meaning of 
the formula would appear to be different in G than in its reduct to the empty 
vocabulary, as G may have fewer automorphisms than its reduct. Thus, the logic 
would fail to have Ebbinghaus’s ‘reduct property’ [Ebb85]. 

To avoid defining something which, by Ebbinghaus’s criteria, is not a logic 
at all, our semantics of the sc-ifp operator requires invariance under automor- 
phisms of the relevant reduct of the structure. That is, if the operands only 
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mention vocabulary r, the expression is evaluated in 21 \ t. This means that the 
operator is only semideterministic with respect to this reduct but this is still 
sufficient to guarantee that formulae are deterministic. We denote by voc <p the 
vocabulary of relations mentioned in p. 

Definition 8. Let a be a vocabulary. The formulae o/SC-IFP[cr] are the least 
set containing all atomic a -formulae and closed under first-order operations and 
the following rule. 

— Ifp,ip G SC-IFP[a-, X, Y], x and y are tuples of variables with \x\ = ar(X) = 

r and \y\ = ar(F), u is an r-tuple of variables drawn from u\...Uk and 

each Q , is a quantifier 3 or V then Qiiti • • • Qk u k sc-ifp Y V’)(^) is a 

formula o/ SC-IFP [u]. The free variables of this formula are the free variables 
of ip and ip except those in x or y. 

The semantics is that of first-order logic with the addition of the following rule. 

— Let <P = Qu sc-ifp Y ip){u) with free variables z\...z n and let t = 

voc<P. If a £ |2l| n , we write (21, a) t= & if and only if, (21, R) t= Q uR{u) for 

all R G sc-ifp (/® tr (a, -), /* tT (a, -, -)). 

Note that, since sc-ifp is semideterministic, if (21, R) 1= Q u R(u) for at least 
one R defined by the fixed point, then it is true for all of them. 

The logic we have defined is broadly the same as FO + IFP c s defined by Gire 
and Hoang in [GH98], but there are a number of important differences. Firstly, 
their logic could be more properly denoted IFP C>S (IFP) as it has formulae only 
of the form Qusc-ifp x y$ (<p; ip)(u) where tp and ip are IFP formulae. That 
is, they do not allow either nesting or first-order combinations of fixed points, 
whereas our definitions permit both freely. Secondly, FO + IFP C]S does not allow 
parameters to fixed-point expressions which, as we show in the next section, has 
a significant effect on the expressive power of the logic. Thirdly, Gire and Hoang 
consider automorphisms of the whole structure rather than the reduct to the 
vocabulary of the formula. This has the undesirable effect that the meaning of 
a formula may depend on relations not mentioned in the formula. 

In addition to the formal differences above, it is also convenient to allow 
simultaneous fixed-points, such as Qusc-ifp A - A - • • • , Tn\ VOW- 

usual, the fixed point defines relation X\ with X 2 , ■ ■ ■ , X n considered as aux- 
iliary relations. Note that we permit only one choice formula, as making more 
than one choice per stage would destroy semideterminism. (Consider making 
two simultaneous choices from a pure set; the effect is essentially the same as 
in Example 7.) Simultaneous definitions of the form indicated do not affect the 
expressive power of the language, as can be shown by standard techniques for 
combining several relations into a single relation of wider arity, though we must 
use a coding, such as that in [DR], that does not interfere with automorphisms 
of the structure. We shall freely use simultaneous definitions from this point. 

In [DR], we showed that the logics C-IFP, NIO and IFP + <5 (from [BGOO]) 
have equal expressive power. It is natural to ask why we consider here the sym- 
metric version only of C-IFP. The answer is that the symmetric versions of the 
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other two do not lead to sensible logics. IFP with symmetric S is not semideter- 
ministic as it is possible to write a formula that makes two simultaneous choices 
with the effects discussed in the previous paragraph. On the other hand, a sym- 
metric nio operator seems to be too restricted. When constructing a relation, at 
each stage, it would only be able to add a tuple from a definable automorphism 
class: it is not even obvious that such an operator could simulate IFP. 

3 The Role of Parameters 

In the previous section, we defined the logic SC-IFP, allowing fixed-point expres- 
sions to take first-order parameters and observed that Gire and Hoang’s logic 
did not allow such parameters. Here, we show that the parameter less fragment of 
SC-IFP is much weaker than the whole logic. We denote by pSC-IFP this frag- 
ment, which is defined as the set of formulae of SC-IFP in which no occurrence 
of the fixed-point operator takes first-order parameters. 

Consider structures over a vocabulary with a single binary relation inter- 
preted as an equivalence relation. Call an equivalence relation even if all of its 
classes are of even cardinality. The following formula defines the class of even 
equivalence relations, by saying that no element z is in a class of odd cardinality. 

X = 0 A -i3zsc-ifp P Q R xy (ipp,ipQ- ip R ), 

where 9 states that ss is an equivalence relation, P , Q and R are new relation 
symbols of arity 0, 1 and 2 respectively and 

tpp = Vit (u « z — > Q(u )) 

<Pq(x) = x = z V 3 u ( R(ux ) V R(xu)) 
ip R (xy) = x^yAx^zAy^zAxK,yrezA ~>Q{x) A ~<Q{y). 

At each stage of the evaluation, a pair of elements xy is selected such that 
x, y and 2 are equivalent but distinct and neither x nor y is in Q. They and z 
are added to Q. If all elements of z’s equivalence class are added to Q , it follows 
that the number of members of the class distinct from z is even, i.e., that the 
class is of odd cardinality. In contrast, the main result of this section is: 

Theorem 9. The class of even equivalence relations is not pSC-IFP -definable. 

From this and the formula x above, it is immediate that: 

Corollary 10. pSC-IFP < SC-IFP. □ 

Towards a proof of Theorem 9, call an equivalence relation k-large if it has 
more than k equivalence classes and each class contains more than k elements. 

Lemma 11. On the class of k-large equivalence relations, every C k formula is 
equivalent to one without quantifiers. 
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Proof. Let 21 be a fc-large equivalence relation and q>(x) £ C k . Since C k cannot 
distinguish between 2l’s equivalence classes, if (21, a) b q>, the same is true for all 
b of the same atomic type so q> is equivalent to a disjunction of atomic types. □ 



Lemma 12. Let q>(x) £ C k . Either there is a formula in the language of equality 
to which q> is equivalent on all k-large equivalence relations or is uniformly 
C k -definable in ( |2l|, qP' ) for all k-large equivalence relations 21. 

Proof. We may assume R = qP’ is at least binary: if it is unary, it must be 
either empty or |2l| as C k cannot distinguish between the elements of 21. By the 
previous lemma, we may assume that q> is a disjunction of quantifier-free types, 
which we may write as V, ( r h A Vj a ij)i where the rji are an enumeration of all 
possible equality types of the relevant arity and the Ojj are ss-types. 

If all the Vj a ij are trivial, R is a union of equality types; otherwise, there 
must be i and m V n such that 21 1= Vx [(y>i(x) —> q>(x)) A ( q> 2 (x ) — > -^(x))], 
where q>\ (x) = r?j A x m « x n A (3 and q > 2 ( x ) = rji A x m 76 x n A /? or vice-versa, 
for some quantifier-free formula (3 . We may assume that m = 1 and n = 2. 

Because q> 1 and q > 2 are both satisfiable, it follows from the symmetry of 21 that 
any pair a\ « 02 can be extended to a tuple a satisfying q>\ (and, hence, satisfying 
q>) and any pair a\ 76 02 to a tuple satisfying q> 2 (and, hence, not satisfying qf) or 
vice-versa. So, on ( |2l|,i?), the following formula, which is equivalent to one in 
C k , defines either ss or 56 : 3 u \rji(xyu) A R(xyu) A 3z ( r]i(xzu ) A ->i?(x2u))] . □ 

We are now ready to prove Theorem 9. We show that, for any k- variable 
pSC-IFP formula there are &-large equivalence relations 21, which is even, and 
21', which is not, between which L> cannot distinguish. This is done by showing 
that the relations defined by every stage of the evaluation of every fixed point 
in <P are defined by the same C k formulae on both equivalence relations. Since 
no formula of C k can distinguish between 21 and 21', cannot either. We shall 
denote by pSC-IFP^ the fragment of pSC-IFP in which formulae contain at most 
k distinct variables and at most n nested fixed points. 

Proof (Theorem 9). Fix k G N. Let 21 and 21' be k- large equivalence relations, 
with 21 having classes of size 2k, 2k + 2, . . . , 4 k and 21' having classes of size 
2k — 1,2 k + 3, 2k + 4, 2k + 6, . . . , 4 k. Note that 21 is even and 21' is not. 

Let {pi,...,q> r e C k and 21* = ( 21, y >?, . . . , q>f ); define 21'* similarly. We 
claim that, for any formula T> £ pSC-IFP(( and any r, there is an C k formula 
<P such that 21* t= ^ ■£>■ 4> and 21'* t= ■£>■ <P. This is proved by induction on 
the depth n of nesting of fixed points, assuming inductively that any relations 
defined so far by fixed points within which T> is nested are defined by the q>i. 
The base case n = 0 is trivial since pSC-IFPg = C k . 

Assume the claim is true for pSC-IFP^ and consider T> £ pSC-IFP(j +1 . Let 
T = Qusc-ifp^ Yxiw '*/’)('“) be a subformula of <P. We may assume that « is 
either mentioned in or is £ fe -definable from the relations that are. If not, by 
Lemma 12, the relations mentioned in T are unions of equality types so T cannot 
possibly distinguish between 21* and 21'* and we are done. 
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To evaluate W on 21* we must consider automorphisms of 23 = 21* [ voc if - . 
The automorphisms of 03 are exactly those of 21 as 21 and 23 are £ fc -definable in 
each other. Since no two equivalence classes of 21 are the same size, two tuples 
a,b £ |2l| fc are in the same automorphism class if, and only if, they have the 
same equality type and a,; « for 1 ^ k. 

As the automorphisms of 03 are exactly the automorphisms of 21, it suffices to 
consider the evaluation of 7 in 21 (and, of course, 21') and we shall assume that 
all references in if - to relations defined by the ipi are replaced with the formulae 
defining them. After this substitution, ! V still has at most k distinct variables. 

Let (Pi,Qi)i ^ o be the labels on a maximal path in 7 jf and o 

the labels on a maximal path in Tpfp. Our second claim is that, for all i ^ 0, 
Qi = Si = 0 and there are formulae 0i £ C k such that P,, = Of and Ri = Of. 

This is trivial for i = 0 as Pq = Qo = Ro = So = 0 by definition. Suppose 
Pi = Of, Ri = Of and Qi = Si = 0. Qi+i is the result of evaluating ip in the 
structure (21, Pi , Qi). Since ip £ pSC-IFP^, it follows by the inductive hypothesis 
of the first claim that it is equivalent to some ip £ C k which, by Lemma 11, 
we may assume to be quantifier-free. As no quantifier-free formula defines an 
automorphism class of 21, Qi+\ = 0. Similarly, S) + i = 0. 

Pi + 1 is the result of evaluating ip in (21, P t , Qi+i). By the inductive hypothesis 
of the first claim, ip is equivalent on 21 and 21' to some <p £ C k \ by the inductive 
hypothesis of the second claim, P t = Of. It follows that P i+ i = (0jV^) a . Similarly, 
R i+ 1 = (Oi V ip)^ and the second claim is proven. 

By Lemma 5, there is a d such that, for all i ^ d, Pi = Pd and Ri = Rd- 
Therefore, 7 = Q u0d{u) and the first claim is proven. A simple pebble-game 
argument shows that no C k formula can distinguish between 21 and 21'. □ 

It can be shown, using similar techniques, that there is no formula of SC-IFPi 
(even with parameters) that defines the class of graphs all of whose components 
are of even cardinality. This class can, however, be defined by nesting applications 
of fixed-point operators. Therefore, SC-IFP! < SC-IFP 2 : the ability to nest fixed 
points also increases the expressive power of the logic. We conjecture that the 
SC-IFP nesting hierarchy is strict, i.e., that SC-IFP„ < SC-IFP n+ i for all n. 
There is no obvious way to simulate a formula using n nested fixed points with 
one using fewer as each level of nesting may mention a different vocabulary and 
hence be sensitive to automorphisms of different reducts of the structure. 

The results of this section are in contrast to, for example, LFP, IFP, IFP + C, 
C-IFP and NIO, where neither the ability to supply first-order parameters to 
fixed points nor to nest fixed points increases the expressive power of the resulting 
logic (see, e.g., [DR]; the proofs are essentially the same for all of the logics 
mentioned) . Parameters and nesting alter the expressiveness of SC-IFP because 
they alter the number of automorphisms available to formulae by fixing certain 
elements or increasing or reducing the number of relevant relations. Although 
SC-IFP is somewhat unusual in this respect, it remains a reasonable logic. It is, 
for example, regular in the sense of Ebbinglraus [Ebb85]. 
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4 Expressive Power 

It is easy to see that SC-IFP is strictly more powerful than IFP. Any formula 
of IFP is equivalent to one of the form 3y (ifp x s p)(y ■ . ■ y) for some first-order 
ip and this can be translated directly as 3y sc-ifp Y Fi (p; ip)(y . . .y), for any 
syntactically appropriate ip, as the choice part of the induction is ignored. We 
saw in the previous section that the class of even equivalence relations is SC-IFP- 
definable but it is easy to show that it is not definable in IFP. 

In the remainder of this section, we consider the close relationship between 
SC-IFP and the graph isomorphism problem, GI. This is the following query: 

Definition 13. Let a = (A 1 , B\ E 2 ) and let 21 and 93 be graphs on disjoint- 
vertex sets. Denote by 21+93 the a-structure ( |2l| U |93|, |2t| , |93|, E % U If® ). The 
graph isomorphism problem is the boolean query {21 + 93 : 21 = 93} C STRUC[cr]. 

For our purposes, nothing is lost in restricting our attention to graph isomor- 
phism rather than considering the isomorphism problem for general structures. 
The reader who would prefer to think in terms of general structure isomorphism 
may view graphs as a uotational convenience. 

Lemma 14. Let a be a vocabulary. There is a formula p a (u,v) of SC-IFP such 
that, for any structure 2( in a vocabulary including a, (21, a, b) \= p a if, and only 
if, a, and b are exchanged by some automorphism o/2l \ a. 

Proof. Let |tl| = |u| = k. To determine whether there is an automorphism of 
2t ( a that exchanges u and v, we define a new fc-ary relation P containing just 
those two tuples and ask if this relation is an automorphism class. Since P is a 
new relation, it will be an automorphism class of (21 ( a, P ) if, and only if, there 
is an automorphism of 21 ( a that exchanges u and v. 

Let X, Y, P and Z be new relation symbols of arity 0, 0, k and k, respectively. 

Pa{u, V) = ifp X px(^i x = u V x = v) 

9 = sc-ifpy Z ^(true A 3xZ(x); P(y )), 

where ‘true’ is some tautology mentioning all of the relation symbols in a. 9 
attempts to choose a tuple from P: this will succeed only if P is a non-trivial 
automorphism class of 21 ( a. (Note that u and v are not parameters to 9 so we are 
not restricted to automorphisms that fix these tuples.) Before the first iteration 
of p a , X is false and P is empty. Since P is not a non-trivial automorphism class, 
X remains false after the first iteration but P is set to {u,u}. At the second 
iteration, X will become true if P is an automorphism class but nothing else will 
change at any future iteration. Hence, p a is satisfied if, and only if, the tuples 
interpreting u and v are exchanged by some automorphism of 2( ( a. □ 

Theorem 15. The graph isomorphism problem is SC-IFP -definable. 

Proof (sketch). Let 21 be a structure in the vocabulary of Definition 13. 21 is an 
instance of the graph isomorphism problem if and B 21 partition |2t| and every 
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edge in E 21 is within one partition: this is first-order definable. To determine 
whether 21 is a yes instance, we first, construct the relation C = (A 21 x A 21 ) U 
(R 21 x R 21 ). 21 is a yes instance if, and only if, ( |2l| ,C,E) contains two vertices, 
one in each (7-component, that are exchanged by an automorphism. This is 
SC-IFP-definable by the previous lemma. □ 

Recall that a query Q is Cook-reducible to a query R if Q is decided by a 
polynomial-time Turing machine with an oracle for R, i.e., Q G P^. We denote 
by P GI the class of problems that are Cook-reducible to graph isomorphism. 
SC-IFP ^ P GI as any SC-IFP formula requires at most a polynomial number of 
iterations, each requiring polynomially many calls to the oracle. 

Let IFP(GI) be the logic obtained by closing first-order logic under inflation- 
ary fixed points and vectorized generalized quantifiers for graph isomorphism 
(see [Daw95,EF99] for a definition of vectorized quantifiers). By [Daw95, The- 
orem 5.6], IFP(GI) captures P GI on ordered structures. It is immediate from 
Theorem 15 that IFP(GI) ^ SC-IFP* the closure of SC-IFP under first-order 
reductions. (We require closure under reductions to deal with vectorizations; it 
is not clear whether SC-IFP is so closed.) We conjecture that SC-IFP* is strictly 
more powerful than IFP(GI) as there seems to be no way for the latter to sim- 
ulate choice on arbitrary structures. However, on ordered structures, choice can 
be simulated by taking the least element of any set. This gives, 

Theorem 16. On ordered structures, SC-IFP* = IFP(GI) = P GI . □ 

What, then, is the expressive power of SC-IFP* on unordered structures? 
Suppose we can define an order of the automorphism classes of a structure: that 
is, a linear pre-order whose equivalence classes are precisely the automorphism 
classes. The elements of each automorphism class can be linearly ordered using 
the techniques of Example 4 so the pre-order can be refined to a linear order. 
This linear order can be used to express any P GI property of the structure. 

It is easy to see that SC-IFP* captures P GI on pure sets and on any class 
of structures with only unary relations. We have seen in Example 4 how to 
linearly order a pure set. In the second case, the atomic types of elements are 
automorphism classes and, for any fixed vocabulary, there are only finitely many 
atomic types and they can be ordered even by a first-order formula. 

Results on IFP + C allow us to show that SC-IFP* captures P GI on large 
classes of graphs. A linear ordering of the C k types realized in a structure can 
be produced by an iterated refinement scheme known as the (fc — l)-dimensional 
Weisfeiler-Lehman method, which is expressible in IFP + C [CFI92,Ott97]. It 
can be shown that this ordering of C k types is also SC-IFP-definable. 

A class of Q graphs contains almost all graphs if, as n — > oo, the proportion of 
all n - vertex graphs that are in Q tends to 1. A logic captures a complexity class 
C on almost all graphs if it captures C on a class containing almost all graphs. 

Theorem 17. SC-IFP* captures P GI on almost all graphs. 

Proof (sketch). Immerman and Lander show that the C 2 -equivalence classes of 
almost all graphs are exactly the automorphism classes [IL90] . For any k, the 
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ordering of the C k types is SC-IFP-definable and the result follows from the 
observations above. □ 



Theorem 18. SC-IFP* captures P &1 on any class of structures which is closed 
under disjoint unions and on which IFP + C captures P. 

Proof. It follows from [Ott97, Theorem 4.22] that, if IFP + C captures P on a 
class of structures which is closed under disjoint unions, there is a k such that 
the C fe -equi valence classes of fc-tuples are automorphism classes. □ 

It follows from Theorems 17 and 18 that SC-IFP* captures P GI on many 
natural classes of graphs, such as trees [IL90] , planar graphs [Gro98] and graphs 
of bounded tree width [GM99] or genus [GroOO] . 

Any class of structures on which IFP + C captures P has a polynomial time 
isomorphism algorithm (namely, the fc-dimensional Weisfeiler-Lelrman method, 
for some k) so one might hope that Theorem 18 could be improved to SC-IFP* 
capturing P on such a class of structures. Although the isomorphism problem 
for these structures is in P, SC-IFP formulae may construct new structures 
internally and there might not be a polynomial-time isomorphism algorithm for 
these structures. For example, IFP + C captures P on ordered graphs but we 
have already shown that SC-IFP* captures P GI on that class. In particular, an 
SC-IFP formula can take an ordered instance of GI, ‘forget’ the ordering and 
ask if the two graphs encoded in the resulting structure are isomorphic. Hence, 
we cannot expect SC-IFP* to capture P on all classes of structures on which 
IFP + C does, unless graph isomorphism is itself in P. 

Conclusion. Gire and Hoang’s specified symmetric choice logic is a possible 
candidate for a logic for isomorphism-invariant polynomial-time properties. That 
is, it is one of a few logics that have been shown to properly extend IFP + C 
while being contained in P. There is no known example of a polynomial-time 
property that it cannot express. Towards a better understanding of this logic, 
in this paper we develop the semantics of symmetric choice and investigate its 
expressive power. We show that it is closely related to the complexity class P GI . 
We also develop some techniques for establishing lower bounds, using them to 
demonstrate the power of parameters and of nesting. 
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Abstract. At CSL 2002, Jerzy Marcinkowsi and Tomasz Truderung 
presented the notions of positive games and persistent strategies [8]. A 
strategy is persistent if, given any finite or infinite run played on a game 
graph, each time the player visits some vertex already encountered, this 
player repeats the decision made when visiting this vertex for the first 
time. Such strategies require memory, but once a choice is made, it is 
made for ever. So, persistent strategies are a weakening of memoryless 
strategies. 

The same authors established a direct relation between positive games 
and the existence of persistent winning strategies. We give a description 
of such games by means of their topological complexity. In games played 
on finite graphs, positive games are unexpectedly simple. On the con- 
trary, infinite game graphs, as well as infinite alphabets, yield positive 
sets involved in non determined games. 

Last, we discuss positive Muller winning conditions. Although they do 
not help to discriminate between memoryless and LAR winning strate- 
gies, they bear a strong topological characterization. 



1 Introduction 

The theoretical framework of infinite two-player games has found growing inter- 
est in theoretical computer science. With applications to verification and synthe- 
sis of reactive programs, the usual setting are the finite-state games where two 
players move a token along the edges of a finite game graph. The player (0 or 1 ) 
to whom the current vertex belongs, pushes the token to one of the successors 
of this vertex. Practical applications imposing simple winning conditions, these 
games are usually determined, and one can decide the winner, and compute a 
winning strategy. Here, for algorithmic concerns, how much memory is needed to 
win plays a crucial role. Indeed, memoryless (or positional) strategies for Muller 
games can be verified in polynomial time, provided winning conditions for the 
opponent, together with the game graph itself, are given as input. 

Recently, a weakening of the notion of memoryless strategy was introduced 
to obtain results on complexity of deciding graph games with winning conditions 
defined by formulas from fragments of LTL [8]. 

* The author sincerely thanks Erich Gradel for numerous remarks and corrections. 
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Definition 1. A strategy a for player P is persistent if for each play V\V 2 ■ ■ ■ Vk, 
played according to a, Vi = Vj and P is to move at Vi, then Vj+i = Vj+i. 

A persistent strategy behaves like a becoming positional one. Uncertainty is 
confined to the vertices not encountered yet. But, once every vertex has been 
visited, the strategy definitively becomes positional. 

ft is very useful to know of some general property of the winning conditions 
that gives the existence of persistent strategies among the winning ones. In [8]. 
such a very effective property is pointed out. 

Theorem 1 (Marcinkowski &: Truderung). If a game on a finite graph is 
positive for player P , and his opponent has a winning strategy, then he has a 
persistent winning strategy. 

Here, a game is positive , if for any two infinite plays x, y , where x is a subsequence 
of y, whenever x is winning, y is also winning. 

Intuitively, theorem 1 says that, in a positive game for the opponent, if, in 
the picture below, the left infinite path is winning for the other player, then the 
right one also. 




In other words, there exists a persistent winning strategy if removing loops 
that are subpaths still preserves the winning condition. 

Not all games that admit persistent winning strategies are positive (for one 
of the players). For example, most parity games are not positive for either player, 
however the winner has a memoryless - hence persistent - winning strategy. 

This paper gives a description of these positive games, by means of their 
topological complexity. We show that they are quite simple - 77° ~ when the 
game graph is finite. On the contrary, when the constraint of finite graphs is 
abandonned, these games can be extremely complicated, and can even give rise to 
non determined games. Last, we study the prominent example of Muller winning 
condition. In this context, we show that positive games and 77 ° games coincide. 

2 Preliminaries 

Given two - finite or infinite - sequences x, y, the relation iCi/ means that x is 
a subsequence of y. We write x C y when x C y holds, but y C x fails. 

Unless mentionned, throughout this paper we consider infinite two-player 
games played on a directed graph Q = (v it , Vg, V\ , E), where {Vo,Ul} is a par- 
tition (between the two players 0 and 1 ) of the set of vertices V . The initial 
vertex where the play starts is v it . An infinite play x is nothing but an infinite 
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sequence of vertices: x = vqV\V 2 ■ ■ ■ UjUj+i . . . such that vo = v it , and for every 
integer i, (vi,Vi+ 1 ) £ E. The choice of i>j+i being made by the player to whom 
Vi belongs to. 

We set Q* as the tree of all possible positions inside Q. 

Q* = {v 0 viv 2 ■ ■ ■ v n £ V* : v 0 = v it A Vi < n (v,, v i+1 ) £ E}. 

We write Q “ for the set of infinite plays (the set of infinites branches of Q*). 
With these notations, the definition of a positive game becomes. 

Definition 2 (Marcinkowski & Truderung [8]). Let A C Q u , 

A is positive Vx, y £ Q w (x £ A A x C y) — > y £ A. 

We equip Q u with the usual topology - that is the topology induced by the 
usual topology on the product topology of the discrete topology on V. In 
other words, non empty open sets of take the form WV^ fl for some set 
W C Q* of finite words. 

We recall that the finite Borel Hierarchy is a sequence IJ 0 ^ 27°, iT° > • ■ • 
of classes of w-languages over spaces of the form Q w inductively defined by: 

— 27° = {Open sets} 

- K = {A c : A G (n > 0), where A ^ stands for the complement of A. 

^ n -\- 1 {UigN^i : VieN A i £ 7T°} - countable unions of sets in 77°. 

This hierarchy classifies sets with respect to their topological complexity, it 
is ordered by inclusion in the sense that 27° and 77° are both strictly included 
in 27° +1 and 77° +1 , while 27° and 77° are incomparable for inclusion. The class 
27° fl 77° is denoted A Q n . 

3 Finite Game Graphs 

For the general study of positive games, we need to consider the following basic 
sets. 

Definition 3. Let a = (it, A) £ Q* x 'UiV), 

a, = U (vIa n on = I U vIa ) n 

uC v \ uH.v J 

where lyi = {y £ V u : Va £ A a occurs infinitely often in y}. 

So, f2 a is the set of all infinite sequences in that contain it as a subsequence, 
and infinitely many times all vertices of A. It is cu-rational and topologically 
simple: 

Proposition 1. Let a = (it, A) £ Q* x TfiV), 

n a £ 77°. 
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Proof of proposition 1 : We assume A = {do, . . . , a^}. To show that Q a £ JfT®, it 
is enough to see that 



£2 a 





v (V*a 0 V*ai ■ ■ ■ V*a k V*) n V 




n g u . 



We equip Q* x Tf(V) with the following partial ordering. 
Definition 4. Let a = (u,A), j3 = (v, r) £ G* x Tf{V), 



H 1 



a < s /3 



def 



u C v A Ac r. 



Lemma 1. 



(' Q * x Tf(V), < s ) is a well quasi ordering (WQO). 

Proof of lemma 1 : We first recall Higman’s lemma ( [5] [11]) which states that 
given < any WQO on some alphabet S, the partial ordering on S* defined by 
uQv <£=>def Xi^y^ holds for some strictly increasing <fi : lh(u) i — > lh(v), 
is also a WQO. 

Clearly, (V,=) is a WQO (only because V is finite!). Hence, by Higman’s 
lemma, C is a WQO on V*, from which we derive that C is a WQO on Q*. 

— Towards a contradiction, we assume that there exists an infinite decreasing 
sequence no >s oc\ > s «2 >s <^3 >s • ■ Since T+(V) is finite, there is an 
infinite subsequence oti 0 > s Oq > s ai 2 > s ai 3 > s . . . where all elements 
have same second projection. Let Uj denotes the first projection of ay, we 
obtain w,; 0 □ u tl □ u l2 Z ] Ui 3 □ . . . , which contradicts the fact C is a WQO 
on V*. 

— Towards a contradiction, let us assume that there exists (aQig^ infinite 

antichain for < s . Since lf(V) is finite, there exists an infinite subset I C N 
such that all elements in (aQig/ have same second projection. Let u t denotes 
the first projection of a,, we obtain that is an infinite antichain for 

C, which also contradicts the fact C is a WQO on V*. 

So < s is a WQO on V* x therefore < s is also a WQO on Q* x 

H 1 

Definition 5. We define the mapping x \ — > a x from G <Jj to G* x Tf{V) by: 

(x x = (■ u , vl) £ G* x 7f(V) where: 

— A is the non empty set of all letters occuring infinitely often in x. 

— u is the shortest sequence such that u~ 1 x £ A* 1 , (i.e. x = uy with y £ AP). 
Or equivalently, u is the longest prefix of u that ends with a letter not in A. 

This mapping, the sets fi a , and the WQO < s , are all we need to prove: 
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Theorem 2. Let A C be positive, and x £ , 

1. x € A => x £ f2 ax C A, 

2. A= \Jn ax , 

x£ A 

3. there exists some finite set {zo, ■ ■ ■ ,Xk} C A such that A = y fi axi > 

i<k 

4- A £ iTo- an d A is an u-rational set. 

Proof of theorem 2: (1) and (2) are immediate from the definition of both a x 
and f2 a . (3) is an immediate consequence of lemma (1): we set 

B = {a x : x £ A}. 

We let Mins be the set of all < s -minimal elements of B. clearly Mins forms an 
antichain for < s , hence, by lemma 1, it is finite. Since fip C Q a clearly follows 
from a < s (3, we obtain 

A = U f 2 ax = U n a c y f 2 a c a. 

x£A at£B ot^MiriB 

Finally (4) comes from the fact A = \J aeMinB L2 a , where each L2 a is both ui- 
rational and a U^-set. Hence A is w-rational and II Q 2 as a finite union of ir- 
rational Il^-sets. H 2 

This yields the following characterization of positive games played on finite 
graphs: 

Proposition 2. Let A C Q u , 



A positive <£=> A = y fl ai for finitely many ao, . . . , a*, £ G* x T+{V). 
i<k 

Proof of proposition 2: (=>) is case (3) of previous theorem. The other direction 
relies on: 

— the class of positive subsets of G u is closed under union, 

— each L2 a is positive. 

H 2 

Similarly to computational complexity, there are notions of reduction and 
completeness for topological complexity. What plays there the role of polynomial 
time reduction, is continuous reduction: given two w-languages, A and B , one 
says A continuously reduces to B (denoted A <w B since introduced by Wadge 
in 1974 [15] ) if there is a continuous mapping ip such that x £ A <£=> <p(x) £ B 

/ UJ 

holds. Where continuity for such a mapping ip : G u 1 — > G , means that every 

' * 

inverse image of an open set is open - for any Wb C G there exists some 
Wa C G* such that y £ (WaY w ) f~l G u <=> p(y) € (WbV , u ) fl G holds for all 
y &G ■ 
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The relation <w is a partial ordering which measures the topological com- 
plexity. Intuitively A <w B means that A is less complicated than B with regard 
to the topological structure. This notion of continuous reduction yields the one 
of completeness for topological classes. Indeed, a set A is JC^-complete (resp. 
17°-complete) if it belongs to the class E a n (resp. 77 ( ;J and reduces all sets in 
the class. For example, 0*1{0, l} a ’ is U°-complete, and the set Q of all infinite 
words over the alphabet {0, 1} that have finitely many 1 is IC^-complete. As a 
matter of fact, if A is E^ -complete, then its complement A c is 17° -complete, 
and both A and Ap are incomparable for <w- We write A = w B when both 
A <w B and B <w A hold; and A <w B when A <\y B is verified but not 
B <w A. (For background see e.g. [6]). 

The main device in working with this measure of complexity is due to Wadge 
[15]. It is a game that links the existence of a winning strategy for a player to 
the existence of a continuous function that witnesses the relation A <\y B : 

Definition 6 (Wadge game). Given A C E 0 ), B C Eg, W(A,B) is an infi- 
nite two player game between players I and E, where players take turns. Player 
I plays letters in Ea, and II plays finite words over the alphabet Eb- At. the end 
of an infinite play (in to moves), I has produced an co-sequence x £ E% of letters 
and E has produced an co-sequence of finite words which concatenated give rise 
to a finite or u-word y £ Eg U Eg. The winning condition on the resulting play, 
denoted here x~y, is the following: 

E wins the play x~y <e==>def V is infinite A (x £ A < — > y € B). 



Proposition 3 ([15]). E has a winning strategy in W (A,B) *£=> A < w B. 

We recall that an ordinal is the set of its predecessors, i.e. £+ 1 = {0, 1, 2, . . . , 
£}. In order to get a finer characterization of the positive sets, we introduce the 
following sets. 

Definition 7. Given f any countable ordinal, i £ {0, 1, (0, 1)}, we define T>( by: 

- T>q = {a; £ (£ + l) w : parity(min x ) is even}, where min x is the least ordinal 
in the longest decreasing initial sequence of x, and a is even iff a = co- (3 + n, 
for some even tiSN. 

- V\ = {f + l) u \ V‘ 0 , and 

- ®fo,i) = 02? o U IV{- 

The space (£ + 1)“ is equipped with the usual topology, that is basic open 
sets are of the form u(£ + 1)“ for some finite sequence u of ordinals below £ + 1. 

We need two technical results. For u £ Q u , and u £ Q* , A^ denotes the set 
of infinite words x such that ux £ A 

Lemma 2. Let A C E w , 



3!£ < co\ 3\i £ {0, 1, (0, 1)} (^A= w Dpj. 



A£A° 2 
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Lemma 3. Let A C Q u , 6 < A be countable ordinals with A limit, i £ {0, 1, 
(0, 1)}, and n £ N, 

f -A(u) =w T^o +1 

K < w A= w V^ +n =» 3 ueG* l or 

1 -4(u) = w V e 0 . 

The previous two lemmas are very similar to results published in [3]. For 
completeness, we give direct proofs in the appendix. D n (Si) is the class of sets 
A = (A n _ i \ A n _ 2 ) U (A„_ 3 \ A„_ 4 ) U ... for open sets A 0 C A x C . . . C 

Lemma 4. Let A C be positive, 

AeA° 2 => 3n£N A £ D n (Si). 

(i.e. A = w X>” /or some i £ {0, 1, (0, 1)} and n £ NJ. 

Proof of lemma 4'- Towards a contradiction, we assume that A £ D n (Sf) fails 
for all integer n. This is equivalent to say T> ft <w A holds for any n. From 
proposition 2, we can assume that there exists an integer k such that: 

A= [J fl ai with a 0 = (u 0 ,A 0 ),...,a k = ( u k ,A k ) £ Q* x 7j?(V). 

i<k 

Since A £ A 2 \ ( ), there exists some limit cardinal A, some 

VneN / 

integer n and some i £ {0, 1, (0, 1)} such that A = w V^ +n . By lemma 3, given 
some non limit ordinal 6 < A, there exists a sequence of finite words 

of Q* , together with a sequence (cj)jgN £ 2“ such that A( Wi ) = w X?c + *. So, in 
particular A( w .) < A( w a holds for any i < j. It follows that there exists an 
infinite subset / CN such that, given any two i,j £ I: 

Wi(lh(wi) — 1) = Wj(lh(wj) — 1) and V7 < k Vw C iq (w C Wi <£=>■ w C wj) . 

In other words, Wi and Wj both end with the same vertex (let us call it u end ), and 
they extend exactly the same prefixes of the same words among {uo> ■ ■ ■ ,u k }. 

Now consider two different i,j £ I, such that i < j, one has A( Wi ) <w A( w y 
Get cr any winning strategy for II in the game W {V e c +i , A( w .f). We claim that a 
is winning for H in the game W(Z>®+-7, A^ w .)). For this, we let !?“ end denote the 
set of infinite paths in the graph Q with initial vertex u end . It is then enough to 
notice the following: 

Vx £ Gy end x £ A ( u <£=>■ 31 < k ( m C WjX A x £1 ai) 

31 < k ( ui C w.iX A x £ I/i,) . 

Which proves H wins W {V 0 c +i , A^ Wi f), hence A( Wj ) <w < w A( Wi ) holds, 
which contradicts A( w .) <w A( w .y 

3 4 

These technical results put together give the following characterization of 
positive games. 
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Theorem 3. Let V be finite, and A C Q u , 

{ A =iv T > ” for some n £ N, and i £ {0, 1, (0, 1)} 
or 

A =w Q C - 

Proof of theorem 3: From theorem 2(4), we know that if A is positive, then A 
belongs to JT®, hence A < w Q c holds. If A <w Q C is verified, then A € 
and by lemma 4, this implies that A is a finite difference of open sets. Hence, the 
only possibilities are A = w Pf for some integer n and some i £ {0, 1, (0, 1)}. 

H 3 

To say it differently, any infinite play will sooner or later be restricted to some 
Stictly Connected Component ( SCC ) of the game graph. Assume ux and uy are 
two infinite plays with final parts x and y taking place in the same SCC. The 
first condition A =\y Pf means that ux £ A iff uy £ A. The second condition 
A = w Q C means that for at least one SCC, there exists such particular u, x, y 
such that ux £ A, uy £ A, and x C y. 



Remark 1. The other direction of the implication in theorem 3 does not hold: 
consider the open set 0102“ inside the following graph. It is not positive, and its 
complement is not positive either. 




To conclude with finite graphs, we would like to focus on the particular case 
of positive subsets of for some finite alphabet S. For the rest of this section, 
positive set means set that satisfy Mx, y £ S u ((x £ A Ax Qy) — > y £ A). 
Replacing Q by S, Theorem 1 still holds for such winning sets. Amazingly, 
getting rid of the constraint of the graph yields even sharper results. First we 
need two easy lemmas. 

Lemma 5. Let A C be positive, B C _T“ any non empty set, and b r , 

B <w A => (B U r*6F“) A 
where B' is the subset of (r U {&}) w , defined by B' = (B U r*br u ). 

In particular, A =w T>\ always fails for £ > 0. 

Proof of lemma 5: Since B is non empty, A must be non empty, hence there 
exists some a = (u,A) £ E* x Tf(B) such that f2 a C A. Now consider any 
winning strategy a for E in W (B,A), the following strategy is also winning for 
E in W (B r , A)-, play a as long as E does not play b , play some sequence y £ uIa 
when I plays b. H 5 
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Lemma 6. Let A C , 

A positive => A -f-w A c . 

Proof of lemma 6: First of all, in U 17° the only sets that verify A <w 
A c (called self-dual) are the zA ( j -complete ones [2] [15]. But if A is both pos- 
itive, and satisfies u£ u C A ^ (for some finite word u ), then A = %. This 
shows that there exists no positive self-dual set inside U 11®. Since 77°- 
complete sets are non self-dual (see [2] [15]), the only remaining problem are 
sets in A® \ (.57° U 77°). By lemma 4, this case is the one of the sets of the 
form A £ D n (E 0 i ) for some integer n. So, towards a contradiction, we assume 
that both A <w ^4 C , and A £ (J n£N ^n(^i) \ (.57° U TT?) hold. It follows 
that there exists some integer n > 1 such that X>™ 0 ^ =w A. By lemma 5, this 
leads to T>" 0 <w A , where T>" 0 ^ is the subset of {0, 1, ... , n, 6}“, defined by 

= D i,i) U {0, 1, . . . , n, }*&{0, 1, . . . , n, &}". But clearly, = w V™ +1 

holds, which contradicts the fact A =w P™ 0 H 6 

Theorem 4. Let £ be finite, and A C 17“ , 

A =\y 0 
or 

A positive => < A =w P$ (n € N) 
or 

. A = w Q c . 

Proof of theorem f: From remark 2(4), we know that if A is positive, then A 
belongs to IT 2 , hence A <w holds. If (Q)^ <w A fails, then A £ A®. Hence 
by lemma 4, A is a finite difference of open sets, or in other words: A =w P™ 
for some integer n and some i £ {0,1, (0,1)}. But lemmas 6 and 5 prohibit 
respecetively the case i = (0,1), and the case i = 1 (except for n = 0, wiclr 
corresponds to A = 0). So the only remaining possibilities are A =w Pq f° r 
n £ N, with A = 0 =w P\- Examples for the first and last case are A = %, and 
A = Q 1 ". The only one example for the case A =w Pq is A = 17“ . Finally, for 
A =w Pq with n > 0’ se t ^ = T? ao U where a 0 and a" are defined by: 

a 0 = (u 0 , A)) with u 0 = e, A 0 = {0}, 
af = (uf, Ai) with uf = , . . 01010 , A x = {1}. 
n letters n letters 

By ti" = . . .01010, we mean u{ = 0, u{ fc+1 = 0 u\ k , and u 2k+2 
set A = fl aa U 17 q ™ is both positive, and satisfies A = w 

4 Infinite Game Graphs 

While working with finite graphs, we saw that positive sets are very simple 
objects. On the contrary, when working with infinite game graphs, a first remark 



= luf +1 . The 
H 4 
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is that any set is homeomorphic to a positive one. Precisely, given any alphabet 
£, one can design a game graph Q = (v it ,Vo,Vi, E) such that V = £*, v it =e 
(the empty word) and E = {(u,ua) : any u G £*,a G £} - the partition 

V = {Vo, Vi} doesn’t matter. Clearly Q u and 17“ are homeomorphic, and for 
two infinite sequences x,y G G u , x C y implies x = y\ so that any subset of Q u 
is positive. Therefore working with positive sets in this general setting is totally 
useless. 

The fundamental reason of this vacuity is the capacity of the graph to 
control positiveness. So we may ask the question in a different setting. We 
saw that positive subsets of 17“ are simpler than subsets of (?“ when the al- 
phabet, respectively the graph, is simple. Therefore, the idea of considering 
infinite alphabets instead of infinite graphs should here also, lead to a com- 
pletely different answer. It certainly does, however, even if the condition Vx, y G 
17“ ((x G A A x C. y) — > y G A) is rarely satisfied, even these positive sets may 
be extremely complicated. Amazingly, when the alphabet is finite, all such sets 
are in 77 but as soon as £ becomes infinite, they reach such high levels of 
complexity that they make determinacy fail. 

We recall that, given a tree T on an alphabet 17, and a winning set A C 17“, 
the Gale-Stewart game G (T, A) is an infinite two player game, where players (7 
and 77) take turn playing letters in £. Player 7 begins, and all positions must 
remain inside T (otherwise the first player to exit this tree loses). Then, if both 
players only reach positions inside T, the play ( x G 17“ ) is an infinite branch of 
this tree. Player 7 wins if x G A, player 77 wins otherwise. It is well known that 
this game is determined as soon as A is Borel [9], and for sets of higher level 
in the projective hierarchy, determinacy was shown to be equivalent to large 
cardinal hypotheses [10]. 

Proposition 4. (in ZF+BPI) there exists a positive set A C N“, and a tree 
T CN* such that 

G (T, A) is not determined. 

The proof - widely inspired by folklore - takes place in usual Set Theory 
( ZF ), with some additional choice, namely BPI (Boolean prime ideal theorem). 
BPI stands for the assumption that every Boolean algebra has a prime ideal. It 
is a common statement in algebra, much weaker than the full Axiom of Choice. 
However it is elsewhere independant from DC (Dependant Choice) another weak 
version of the axiom of choice, used to prove large amounts of mathematics. 

Proof of proposition f: We describe the tree T, and the winning set A later. 
First, we let U be a free ultrafilter over N. We recall that filters over N are subsets 
T C V(N) that satisfy: 

-[/GfA V gF => Unv 

- U GF A UCV => V GT 

- 

An ultrafilter is a filter with the additional property that for all E/CN, either 
U G T or (N \ 77) G T holds. 
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The filter {[/ C N : N \ [/ is finite} of all co- finite subsets of N is called 
the Frechet filter , and any ultrafilter that contains (extends) the Frechet filter 
is called a free ultrafilter. We need the Boolean Prime Ideal theorem to ensure 
that the Frechet filter can be embedded into an ultrafilter. So, we assume that 
there exists U , some free ultrafilter over N. We set A as the following set 

A={ye N" : Q(y) G U}, 

where fs(y) denotes the image of y G (regarded as a function from N to N). 

It is immediate to see that A is positive, since given any two infinite sequence 
x, y G N“, x Qy implies 3(x) C 3(y). Therefore, if x is in A, then 3(x) is in U, 
hence 3(y) is also in U , therefore y G A. 

Instead of formally describing the tree T, we explicit the rules of the play 
that it allows and forbids: 

— As first move, player / is allowed to play any integer xq. But once this is done, 
the next Xq moves of both players are restricted. Player / must precisely play 
Xq — 1, Xq — 2, . . . , 0, while player H can only play 0, 0, . . . , 0. 

— Then player II can play any X\ > xo, forcing player I to play X 2 > X\ as 
next move. From this point, the next x\ — Xo moves are also restricted to 
0, 0, . . . , 0 for player R, and precisely x 2 — 1, x 2 — 2, . . , , xi, for player I. 

— Then player I can play any xq > x 2 , forcing player R to play x 4 > x 2 . The 
next X 4 — Xq moves being 0, 0, . . . , 0 for player If, and x 4 — 1, x 4 — 2, . . . , x 3 
for player I. 

And so on... We remark that 

— if one skips all occurences of 0, it appears that H played exactly the infinite 
strictly increasing subsequence x\ < xq < x$ < . . . 

— I played x 0 , x 0 - 1, . . . , 0, x 2 , x 2 - 1, . . . , x 1 , x 4 , x 4 - 1, . . . , x 3 ,x 5 . . . 

— The integers played during this run x are precisely [0, XoJuLJjgfJa^i+i, a ' 2 ?:+ 2 ]- 

In the rest of the proof we simply forget about the part of the play that is 
totally imposed. We concentrate on the subsequence xo, xi,x 2 , • - - - the full play 
being easily reconstructed from it. 

To show that G ( T , A) is not determined, we first assume, towards a contra- 
diction, that / has a winning strategy a. We let II play as follows: after I plays 
Xq, H plays any x 4 > Xq, then / answers with x 2 , but then H considers a second 
play - let’s call it fake - of the game G (T, A) where I still applies cr, but H , in 
this fake game, copies /’ s answers in the original game with a shift, skipping xo- 
Similarly, player R, in the original game, copies I’s answers in the fake game, 
with here also a shift. See next picture where x\ stands for 1 + x.j. 

Since cr is a winning strategy for /, it follows: 3(x or igi na i) = [0, xo] U [xi, x 2 ] U 
iJienl x 2 i+ 3 ^ x 2 i+i} e U, and 3(x /ofce ) = [0,x o ] U U ieN [ a; 2 i+ 2 i ^+ 3 ] G U. Since 
U is a filter, Q(x or i g i na i) (lQ(xf a k e ) = [0, xo] G U. Elsewhere N \ [0, xo] belongs to 
U by very definition. This yields [0, Xq] f)(N \ [0 ,Xq]) = 0 G U, a contradiction. 
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We have proved that player / cannot have a winning strategy, the assumption 
that E has a w.s. in G (T, A) leads exactly to the same contradiction. H 4 

Remark 2. In a game on some graph Q with infinitely many vertices, if a player 
P has a winning strategy, and his opponent’s winning set is positive, then P 
does not necessarily have a persistent winning strategy. Consider the following 
counterexample where there is only one vertex (the initial one) for player 0 , and 
player 1 wins if and only if the sequence of 1-vertices (the ones with two circles) 
is not strictly increasing: 




Since any subsequence of a strictly increasing sequence is also strictly increasing, 
A (the winning set for player 1) satisfies Vx, y £ (x C y A x € A) => y € A, 
hence this game is positive. Clearly, player 0 has a winning strategy, but certainly 
do not have any persistent winning strategy. In fact, every winning strategy must 
be persistently changing. 

5 Muller Acceptance Conditions 

For the games where the winning set is defined in terms of Muller acceptance 
condition - i.e. an infinite play is accepted iff the set of vertices visited infinitely 
often belongs to some set of the form T C V(V) [12] [13] - topological properties 
do help. 

Theorem 5. Let V be finite, and AC(J“ defined by Muller acceptance condi- 
tions T C V(V), the following are equivalent: 

1. A is positive , 

2. A = w Q*' or A = w Z?" for some n £ N, and i € {0, 1, (0, 1)} , 

3. A g n° 2 . 
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In particular, this theorem gives an amazing proof of an already known re- 
sult that all zl^-sets defined in terms of Muller acceptance conditions are finite 
differences of open sets (see [16], [3]). 

Proof of theorem 5: The direction (1)=>(2) is theorem 3. For (2)=>(3), it is 
enough to say that if A = w Q c , then A is iT [(-complete, and if A = w X>”, then 
A is in A. 2 - So that in both cases, A belongs to 17° . 

For (3)=>(1), towards a contradiction, we assume both A £ 17°, and A is 
not positive. This means, in particular, that there exists two infinite sequences 
x, y £ that verify x Q y, x £ A, and y £ A. Let A x , and A y be the set 
of vertices visited infinitely often by respectively x and y. Since x C y holds, 
we infer that A x C A y holds too. So there is at least one vertex v £ A x that 
is accessible from v it and from which there is, inside Q , both a path w x going 
through precisely all vertices in A x and coming back to v, and another path w y 
going through precisely all vertices in A y and also coming back to v. This yields 
the following winning strategy for player H in W(Q,H): 
hrst reach vertex v, then 

— each time player / plays a 0, play the whole path w x , 

— each time player / plays a 1, play the whole path w y , 

The sequence played by / belongs to Q iff it contains finitely many 1, in 
which case the set of vertices visited infinitely often by E is exactly A x , showing 
that the sequence played by E also belongs to A. 

If I’s play contains infinitely many 1, then it is not in Q, but in this case E 
visited infinitely often precisely all vertices in A y , so that E also wins this case. 

We have shown that Q <w A holds. Since Q is E^-complete, it follows that 
A ^ 77"°, a contradiction. 

H 5 

Remark 3. If a player’s winning set is a E^-set defined in terms of Muller ac- 
ceptance conditions, and this player has a winning strategy, then this player also 
has a persistent winning strategy. However, this fact does not help much, since 
this player not only has a persistent winning strategy but also a memoryless one. 

Lemma 7. Let V he finite, and A C Q u defined by Muller acceptance conditions 

T<AV{V), 

1. A positive => T is closed under union. 

2. A positive winning set for player 1 (resp. 0 ), and player 0 (resp. 1 ) has a 
w.s. => player 0 (resp. 1) has a memoryless winning strategy. 

Proof of lemma 7: 

1. It is immediate to see that given Q,Q' £ T such that Q U Q' fL T , and given 
any sequence x that visits infinitely often the set of vertices Q , one can build 
a sequence y that visits infinitely often all vertices in Q U Q' and satisfies 
xQy. Which leads to both x £ A and y £ A, a contradiction. 

2. This is an immediate consequence of theorem 17 in [17]. 
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Abstract. Abduction is a fundamental mode of reasoning, which has taken on 
increasing importance in Artificial Intelligence (AI) and related disciplines. Com- 
puting abductive explanations is an important problem, and there is a growing 
literature on this subject. We contribute to this endeavor by presenting new results 
on computing multiple resp. all of the possibly exponentially many explanations of 
an abductive query from a propositional Horn theory represented by a Horn CNF. 

Here the issues are whether a few explanations can be generated efficiently and, in 
case of all explanations, whether the computation is possible in polynomial total 
time (or output-polynomial time), i.e., in time polynomial in the combined size of 
the input and the output. We explore these issues for queries in CNF and important 
restrictions thereof. Among the results, we show that computing all explanations 
for a negative query literal from a Horn CNF is not feasible in polynomial total 
time unless P = NP, which settles an open issue. However, we show how to com- 
pute under restriction to acyclic Horn theories polynomially many explanations in 
input polynomial time and all explanations in polynomial total time, respectively. 
Complementing and extending previous results, this draws a detailed picture of 
the computational complexity of computing multiple explanations for queries on 
Horn theories. 

Keywords: Computational logic, abduction, propositional logic, Horn theories, 
polynomial total time computation, NP-hardness. 

1 Introduction 

Abduction is a fundamental mode of reasoning, which was extensively studied by C.S. 
Peirce [19]. It has taken on increasing importance in Artificial Intelligence (AI) and 
related disciplines, where it has been recognized as an important principle of common- 
sense reasoning (see e.g. [3]). Abduction has applications in many areas of AI and 
Computer Science including diagnosis, database updates, planning, natural language 
understanding, learning etc. (see e.g. references in [10]), where it is primarily used for 
generating explanations. 
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In a logic-based setting, abduction can be viewed as the task to find, given a set 
of formulas £ (the background theory) and a formula x (the query), a minimal set of 
formulas E (an explanation) from a set of hypotheses H such that £ plus E is satisfiable 
and logically entails %. Often considered is a scenario where £ is a propositional Horn 
theory, % is a single literal or a conjunction of literals, and H contains literals (see [24,10] 
and references therein). For use in practice, the computation of abductive explanations 
in this setting is an important problem, for which well-known early systems such as 
Theorist [20] or ATMS solvers [6,22] have been devised. Since then, there has been a 
growing literature on this subject, indicating the need for efficient abductive procedures. 
We refer to [18], which gives an excellent survey on intimately closely related problems 
in computational logic. Note that much effort has been spent on studying various input 
restrictions, cf. [14,4,13,25,8,7,10,23,24], 

While computing some explanation of a query \ has been studied extensively in the 
literature, the issue of computing multiple or even all explanations for \ has received 
less attention. This problem is important since often one would like to select one out of 
a set of alternative explanations according to a preference or plausibility relation; this 
relation may be based on subjective intuition and thus difficult to formalize. As easily 
seen, exponentially many explanations may exist for a query, and thus computing all 
explanations inevitably requires exponential time in general, even in propositional logic. 
However, it is of interest whether the computation is possible in polynomial total time 
(or output-polynomial time), i.e., in time polynomial in the combined size of the input 
and the output. Furthermore, if exponential space is prohibitive, it is of interest to know 
whether a few explanations (e.g., polynomially many) can be generated in polynomial 
time, as studied by Selman and Levesque [24]. 

Computing some explanation for a query \ which is a literal from a Horn theory is a 
well-known polynomial problem. Selman and Levesque conjectured [24] that generating 
0(n ) many explanations for a positive literal is NP-hard, where n is the number of 
propositional atoms in the language, even if it is guaranteed that there are only few 
explanations overall. As shown in [11], this conjecture is not true unless P=NP. This 
follows from the result of [11] that all explanations for an atom can be generated in 
polynomial total time. 

The status of generating all explanations for a negative literal \ = <7 from a Horn 
CNF <p, however, remained open in [ 1 1], Moreover, it was unclear whether a resolution- 
style procedure similar to the one for query atoms in [11] could solve the problem in 
polynomial total time. In this paper, we provide a negative answer to this question, by 
showing that given a collection of explanations for a query x = Q from a Horn CNF ip, 
deciding whether there is an additional explanation is NP-complete. Consequently, the 
existence of a polynomial total time algorithm for computing all explanations implies 
P=NP. However, for the well-known class of acyclic Horn theories (see e.g. [5,24,21,1]) 
we present an algorithm which enumerates all explanations for q with incremental poly- 
nomial delay (i.e., in time polynomial in the size of the input and output so far), and thus 
solves the problem in polynomial total time. Compared to explanations for an atomic 
query q, intuitively cyclic dependencies between atoms make the problem difficult. For 
completeness, a resolution-style procedure as in [1 1] needs to consider besides the input 




Generating All Abductive Explanations 199 



and output clauses also auxiliary clauses (see Example 7), whose derivation may cause 
a lot of overhead, since it is not a priori clear which such clauses are needed. 

We furthermore address computing all explanations for queries x beyond literals, 
where we consider CNF and important special cases such as a clause and a term (i.e., a 
conjunction of literals). Note that the explanations for single clause queries correspond 
to the minimal support clauses for a clause in Clause Management Systems [22]. In the 
light of the negative results from above, we aim at elucidating the tractability frontier 
and present positive as well as negative results for such queries. 

Our results shed new light on the computational nature of abduction and Horn the- 
ories in particular. They imply that, e.g., generating all minimal support clauses for a 
given clause (cf. [22]) from an acyclic Horn CNF is feasible in polynomial total time. 
The intractability result for negative literal queries q is somewhat unexpected, and the 
tractability result for acyclic Horn theories is more difficult to obtain than in case of 
atomic queries. As a byproduct, we also obtain results for computing all prime impli- 
cates of Horn theories containing a certain literal, which complement and refine previous 
results for computing all prime implicates of a Horn theory [2]. 

For space reasons, some proofs are omitted; we refer to the extended version [12]. 



2 Preliminaries and Notation 

We assume a standard propositional language with atoms x\,X 2 , ■ ■ ■ , x n from a set At, 
where each a::,; takes either value 1 (true) or 0 (false). Negated atoms are denoted by 3 
and the opposite of a literal t by I. Furthermore, we use A = {£ \ £ £ A} for any set of 
literals A and set Lit = At U At. 

A clause is a disjunction c = V p ep( c )P V V p eA r(c)P °f literals^ where P(c ) and 
N(c ) are the sets of atoms occurring positively and negated in c and P(c) D iV (c) = 0. 
Dually, a term is conjunction t = A P £p(t) p A Apejv(t) P °f literals, where P(t) and 
N(t) are similarly defined. We also view clauses and terms as sets of literals P(c)UN(c) 
and P(t) U N(t), respectively. A clause c is Horn, if |P(c)| < 1; definite, if |P(c)| = 1; 
and negative (resp ..positive), if |P(c)| = 0 (resp., | iV ( c) | = 0). A conjunctive normal 
form (CNF) is a conjunction of clauses. It is Horn (resp., definite, negative, positive ), if 
it contains only Horn clauses (resp., definite, negative, positive clauses). A theory £ is 
any finite set of formulas; it is Horn, if it is a set of Horn clauses. As usual, we identify 
£ with (p = Acei: c > an d write c £ p etc. 

A model is a vector v £ {0, 1}", whose 3-th component is denoted by t;,. For B C 
{1, . . . , n}, we let x B be the model v such that v t = 1, \f i £ B and v.i = 0, if i ^ B, 
for i £ {1, . . . , n}. Satisfaction v \= p and logical consequence p \ = c, p \= ip etc. are 
defined as usual (i.e., p(v) = 1 etc.). 

Example 1. TheCNFi/? = (TiVT 4 )A(T 4 VT 3 )A(TiV£ 2 )A(T 4 V 5 : 5 V;ri)A(a; 2 V;r 5 V:r 3 ) 
over At = {xi,X 2 , ■ ■ ■ , £ 5 } is Horn. The vector u = (0, 1, 0, 1, 0) is a model of p. □ 

The following proposition is well-known. 

Proposition 1. Given a Horn CNF p and a clause c, deciding whether p \ = c is possible 
in polynomial time (in fact, in linear time, cf. [9]). 
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Recall that two clauses c and d resolve on a pair of literals x, x if x, x £ cJd and 
c U d \ {x, 5:} is a legal clause (thus, x must occur in exactly one of c and d, and same 
for x); c and d resolve if their is a pair of literals x , x on which they resolve. Note that 
this pair, if it exists, is unique. In that case, we denote by c® d the clause cUc'\ {a;, x}, 
which is their resolvent (otherwise, c ® d is undefined). A resolution proof of a clause 
c from a CNF p is a sequence ci, C 2 , ■ . . , c; of clauses such that c; = c and, for all 
i = 1 , . . . , l, either Ci £ ip or c,: = Cj © Ck for clauses Cj and Ck such that j, k < i. 
It is well-known that resolution proofs are sound and complete with respect to clause 
inference in the following sense (cf. [18]): For any CNF ip and clause c, <p |= c holds iff 
there is a clause d C c which has a resolution proof from <p. For further background on 
resolution, we refer to [17,16]. 

2.1 Abductive Explanations 

The notion of an abductive explanation can be formalized as follows (cf. [24,10]). 

Definition 1. Given a (Florn) theory 27, called the background theory, a CNF X (called 
query), an explanation of \ is a minimal set of literals E C Lit such that 

(i) 27 U E |= %, and 

(ii) 27 U E is satisfiable. 

Example 2 . Reconsider the Florn CNF p = (f£\ V xf) A (£4 V £3) A (xi V X2) A (£4 V 
£5 V Xi) A (T 2 Vx 5 V x 3 ) from above. Suppose we want to explain % = x 2 from 
A = {xi, £ 4 }. Then, we find that E = {xi} is an explanation. Indeed, 27 U {xi} |= X 2 , 
and 27 U {xi} is satisfiable; moreover, E is minimal. On the other hand, E' = {xi, £ 4 } 
satisfies (i) and (ii) for \ = X 2 , but is not minimal. □ 

More restricted forms of explanations require that E must be formed over a given set 
of abducible letters (cf. [24]); however, in such a setting, generating all explanations is 
easily seen to be coNP-hard for the cases that we consider from results in the literature. 

The following characterization of explanations is immediate by the monotonicity of 
classical logic. 

Proposition 2. For any theory 27, any query and any E C Lit, E is an explanation 
for y from 27 iff the following conditions hold: (i) 27 U E is satisfiable, (ii) 27 U E |= y, 
and (Hi) 27 U (E\ {(,}) \/= X , for every £ £ E. 

From Proposition 2, we thus obtain the following easy lemma. 

Lemma 1. Given a Horn CNF <p, a set E C Lit, and a CNF query X , deciding whether 
E is an explanation for X w.r.t. A is possible in polynomial time. 

3 Intractability of Negative Literal Queries 

In this section, we show that computing all explanations of a negative query X = q is 
not possible in polynomial total time unless P = NP. This result follows by standard 
arguments from the following theorem. 
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Theorem 1. Given a Horn CNF <p, a query \ and explanations E\, E 2 , .... E k 
for deciding whether \ has some additional explanation E k+ 1 different from each 
Ei, 1 < i < k, is NP -complete. Hardness holds even if p is definite Horn. 

In the proof of Theorem 1 , we use the following well-known lemma, which links prime 
implicates of a theory to explanations. Recall that a prime implicate of a theory E is a 
minimal (w.r.t. inclusion) clause c such that E \ = c. Let us call an explanation E for a 
literal query \ = (■ trivial , if E = {£}. 

Lemma 2 (cf. [22,15]). Given a theory E, a set E C Lit is a nontrivial explanation of 
a query literal \ iff the clause c = ^ V % is a prime implicate of E. 

Note x = £ has a trivial explanation iff E £ and E \f= £, which can be checked in 
polynomial time. Hence, as for NP-hardness we can without loss of generality focus on 
generating the nontrivial explanations of q, i.e., all prime implicates containing q. 

Proof of Theorem 1. As for membership in NP, an additional explanation Ek+i can be 
guessed and, by Lemma 1, be verified in polynomial time. 

We show the NP-hardness by a reduction from 3SAT. Let 7 = Ci A • • • A c m , m > 2, 
be a 3CNF over atoms 27 , ... , x n , where <7 = V ^ 2 V ii 3. We introduce for each 
clause Ci a new atom y, . for each Xj a new atom ,/■' (which intuitively corresponds to 
xf), and special atoms q and z. The Horn CNF <p contains the following clauses: 

1. Cij = q V ff j V yi, for all * = 1, ... , m and j = 1, 2, 3; 

2. dij = IN V yi V p i+1 , for all* = 1, ... ,m and j = 1, 2, 3; 

3. Xi V x\ V z, for all* = 1, . . . , n; 

4. e = p 1 V p 2 V • • • V p m V 2:, 

where £N = x k if £ ifj = x k and i\j = x' k if l itj = x it and y m+1 = p 1 . 

Note that ip is definite Horn, and thus all prime implicates of ip are definite Horn. 
Informally, the clauses Cij and dij stand for selection of literal in clause <7. The 
clause in 4., which is needed to produce any negative prime implicate c containing q , and 
the minimality of a prime implicate will effect that a literal is chosen from each clause 
Ci, and the clauses in 3. will ensure that the choice is consistent, such that 7 is satisfied. 
Since the positive prime implicates containing q are just the clauses c ? J . the a further 
prime implicate of ip containing q exists iff 7 is satisfiable. 

We establish the following properties of p. 

Lemma 3. Any prime implicate c of p such that q £ iV(c) and P(c) ^ {z} is of the 
form Cij, where i £ {1 , . . . , m} and j £ {1, 2, 3}. 



Lemma 4. Any prime implicate c ofp such that P(c) = {z} and q £ N{c) satisfies (i) 
{a 'i,x'j} 2 N(c),for all i = 1,. . . ,n, and (ii) p t N (c), for all i = 1,. . . ,m. 

From Lemma 3, it is now easy to see that all prime implicates of ip given by the clauses 
in 1. correspond to nontrivial explanations of q, and from Lemma 4 that an additional 
nontrivial explanation for q exists if and only if some prime implicate of tp of form 
c = 5 V \J x eX Xi V Va-'e x' x 'i V s exists iff the CNF 7 is satisfiable. As for the last 
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equivalence, note that for each smallest (w.r.t. C) choice £ c, of a consistent collection 
of literals l\, . £ m , we have an additional prime implicate of p of form q V y u £*y z. 
Conversely, each additional prime implicate c containing q gives rise to a consistent set 
of literals {xj \ 'X- h] £ iV(c)} U { Xj | £ N(c)} which satisfies 7. 

Clearly, p is constructible in polynomial time from 7. Since ip is definite, this proves 
the NP-hardness under the asserted restriction. □ 

We note that p in the hardness proof of Theorem 1 remains Horn upon switching the 
polarity of z. From this easily NP-completeness of deciding the existence of an expla- 
nation for x = Q formed of only positive literals follows, even if all other explanations 
are given. This contrasts with respective tractability results for acyclic theories (implied 
by the next section) and for atomic queries \ = Q °n arbitrary Horn CNFs [11]. 

4 Negative Literal Queries on Acyclic Horn Theories 

Since as shown in the previous section, a polynomial total time procedure for generating 
all explanations of a negative literal query is infeasible in general unless P=NP, it becomes 
an issue to find restricted input classes for which this is feasible. In this section, we show 
a positive result for the important class of acyclic Horn theories, which has been studied 
extensively in the literature (see, e.g., [5,24,21.1]). 

We first recall the concept of acyclic Horn theories (see e.g. [5,24]). 

Definition 2 . For any Horn CNF p over atom set At, its dependency graph is the 
directed graph G(p) = (V, E), where V = At and E = {27 — > Xj \ c £ p,Xj £ N(c), 
Xj £ P(c)}, i.e., E contains an arc from each atom in a negative literal to the positive 
literal in a clause (if such a literal exists). A Horn CNF p is acyclic if G{p) has no 
directed cycle. 

Example 3. As easily seen, the edges of G(p) for the CNF p in Examples 1 and 2 are 
Xi —> X2, X4 — > Xi, X5 — > x\, X2 —> X3, and x$ —> X3. Hence, p is acyclic. □ 

Since the trivial explanation E = [q] can be easily generated (if it applies), we focus on 
generating all nontrivial explanations. For a negative query on an acyclic Horn theory, 
this is accomplished by Algorithm n-Explanations in Figure 1. It first converts the 
input into an equivalent prime Horn CNF p* , and then applies a restricted resolution 
procedure, in which pairs (c, c') of clauses are considered of which at least one is a 
prime implicate containing q and the other is either a clause of this form or a clause 
from the converted input p*. In case their resolvent d := c © d exists and, as implied 
by condition (ii) in Definition 1, includes only prime implicates containing q, any such 
prime implicate d! is computed. If dl is recognized as a new prime implicate which has 
not been generated so far, a corresponding explanation is output and the set of candidate 
pairs is enlarged. 

Example 4 . Reconsider^ = (xi VX4) A (X4 VX3) A (xi V X2) A (X4 VX5 Vxi) A ($2 V 
x 5 V X3), and apply n-Explanations for 7 = x \ . All clauses of p are prime except 
X4 V X5 V Xi, which contains the prime implicate X4 V X5. Thus, p* = (xi V X4) A 
(X4 V X3) A (xi V X2) A (X4 V X5) A (X2 V X5 V X3), and S contains the clauses xi V X4 
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Algorithm n-Explanations 

Input: An acyclic Horn CNF ip and an atom q. 

Output: All nontrivial explanations of the query x — Q from p. 



Step 1. p * := 0, S := 0, and O := 0; 

Step 2. for each ce^do 

add any prime implicate c' C c of ip to ip * ; 
for each c £ ip * with q £ N (o') and c' ^ S do 
begin output ({£ \ l £ d \ {?}}; 

S:=S U {c'}; 0:=0U{(c,c')|c£ p* , q £ P(c)} 
end; 

Step 3. while some (c, c') £ O exists do 
begin O := O \ {(c, c')}; 

if (1) c and c resolve and (2) ip* (c © d \ {g}) 

then begin d := c © c'\ 

compute any prime implicate d! C d of ip; 

if d' £ S then 

begin output ({£ \ i £ d! \ {?}}; S := S U {</}; 

O :=0 U {(d", d') | d" £ p*,q^ P(d")}U{(d", d') | d" £ 5} 

end 

end 

end. □ 

Fig. 1. Algorithm computing all nontrivial explanations of a query \=Q ° n an acyclic Horn theory 

and 5Ji V the corresponding explanations E\ = {2:4} and E 2 = {^2} are output. In 
Step 2, the pair (x 2 V 25 V X3, x± V x 2 ) is found in O which satishes condition (i) in 
Def. 1. Moreover, (ii) is satisfied, since ip* x-, V X3. Thus, a prime implicate within 
d = x 1 V 55 V S3 is computed; in fact, d is prime. Therefore, £3 = {2:5, S3} is output 
and d is added to S, and then O is enlarged. Eventually, the pair (2:3 V X4, X\ V 2:5 V 2:3) 
from O, which satisfies condition (i), will be considered. However, ip* |= 2I4 V X5, and 
thus S remains unchanged. Hence, the output of n-Explanations is £1, E 2 , and £3. 
As can be seen, these are all nontrivial explanations for Xi from ip. □ 

We remark that our algorithm is similar in spirit to an algorithm for computing all 
prime implicates of a Horn CNF in polynomial total time [2], Our algorithm solves a 
more constrained problem, though. 

In the rest of this section, we show that Algorithm n-Explanations generates all 
explanations in polynomial total time. For that, we first show its correctness, which splits 
into a soundness and completeness part, and then analyze its time complexity. 

As for soundness, it is easily seen that Algorithm n-Explanations produces output 
only if d' is some prime implicate of (and thus of <p) such that q £ N(d'). Thus, from 
Lemma 2, we immediately obtain 

Lemma 5 (Soundness of n-Explanations). Algorithm n-Explanations outputs only 
nontrivial explanations for q from p. 

It is much more difficult to show the completeness, i.e,, that Algorithm n-Explana- 
tions actually generates all nontrivial explanations. Intuitively, the difficulty stems from 
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the fact that the restricted resolution procedure retains only prime clauses containing q, 
and, moreover, may skip relevant prime implicates d! C c ® d in Step 3 if condition (ii) 
fails, i.e., c © c' is an implicate of p (which is tantamount to the condition that c ® d 
contains some prime implicate of ip that does not contain q). To see that no explanation 
is missed requires a careful analysis of how the desired explanations are generated, and 
leads to a nontrivial argument which takes the complex interaction between clauses into 
account. 

We need a number of preliminary technical lemmas on which our proof builds, which 
are interesting in their own right. In what follows, we call a Horn clause c definite, if 
P(c) ^ 0 . Furthermore, for any literal £, a clause c is a i ’-clause if c contains l. 

The following propositions are well-known. 

Proposition 3 . Let C\, c 2 be Horn implicates of a Horn CNF ip that resolve. Then, 
c = Ci ® Ci is Horn, and if C\ contains a negative implicate of ip, then also Ci ® C2 
contains a negative implicate of ip. 

Proposition 4 (cf. [2]). Every prime implicate c of a Horn CNF p has an input resolution 
proof from it, i.e., a resolution proof 0%, C2, ■ ■ . , Ci (= c) such that either Ci £ ip or 
Ci = Cj ® Cfc where j,k < l and either Cj £ p or Ck £ p, for all i £ { 1 , . . . , l}. 

We start with the following lemma. 

Lemma 6 . Let p be a prime Horn CNF, and let c be any prime implicate of p such that 
c p. Then, c = C\ ® C2, where C\ is a prime implicate contained in p, and either (i) 
C2 is a prime implicate ofp, or (ii) C2 = c U {£} where C\ \ {£} C c and c is the unique 
prime implicate of p contained in ci- 

Note that item (ii) is needed in this lemma, as shown by the following example. 

Example 5. Consider the Horn CNF p = (xo V X\ V X2)(x2 V X3)(x3 V Xo). As easily 
checked, p is prime and has a further prime implicate X] Vx :i , which can not be derived 
as the resolvent of any two prime implicates of p. Note that p is acyclic. □ 

Next we state some important properties of acyclic Horn CNFs under resolution. 

Proposition 5 . Let p be an acyclic Horn CNF, and let c = C\ ® C2 where c\,C2 £ p. 
Then, p' = p A c is acyclic Horn, and the dependency graphs G(p) and G(p') have 
the same transitive closure. Furthermore, any subformula p" C p is acyclic Horn. 

Thus, adding repeatedly clauses derived by resolution preserves the acyclicity of a CNF, 
and, moreover, the possible topological sortings of the dependency graph. 

The following proposition captures that for an acyclic Horn CNF, resolution cannot 
be blocked because of multiple resolving pairs of Xi and x, of literals. 

Proposition 6 . Let p be an acyclic Horn CNF, and let C\ and C2 be any implicates ofp 
derived from p by resolution. Then, c\ and C2 do not resolve iff P(c\) fl N(c2) = 0 and 

P(c 2 ) n JV(ci) = 0 . 

We define an ordering on Horn clauses as follows. Suppose that < imposes a total 
ordering on the atoms (x.^ < x l2 < ■ ■ • < x , n ). Then, for any Horn clauses c\ and C2, 
define c\ < C2 iff Ci = C2 or one of the following conditions holds: 
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(i) P(ci) ^ 0 and P(c 2 ) = 0 ; 

(ii) P(ci) = {xi} and P(cf) = {xy} and a;* < atj; 

(iii) P(ci) = P(c 2 ) and max TV (ci) A iV(c 2 ) £ Ci, where “A” denotes standard sym- 
metric difference (i.e., S 1 AS 2 = (Si U S 2 ) \ (Si fl 5 2 )). 

As usual, we write Ci < c 2 if ci < c 2 and ci ^ c 2 , ci > c 2 for c 2 < ci etc. Note 
that < orders first all definite Horn clauses along their positive literals, followed by the 
negative clauses. Notice that ci C c 2 implies c 2 < c\, for any Horn clauses ci and c 2 . 
The following proposition is not difficult to establish: 

Proposition 7 . Every total ordering < of the atoms At induces a total ordering < of 
all Horn clauses over At as described. 

With respect to acyclic Horn CNFs tp, in the rest of this paper we assume an arbitrary but 
fixed total ordering < of the atoms which is compatible with some topological sorting 
of the dependency graph G(tp). 

Proposition 8. Let c\ and c 2 be Horn clauses such that c = ci ® c 2 exists. Then, c\ < c 
and c 2 < c hold. 

Corollary 1 . Let tp be an acyclic Horn CNF, and let c, C\ and c 2 be any implicates of ip 
derived from tp such that cCciffi c 2 . Then, c > C\ and c > c 2 holds. 

Consequently, in any input resolution proof of a clause from an acyclic Horn CNF the 
derived clauses increase monotonically. As for the derivation of prime implicates, we 
find for such CNFs a more general form than in Lemma 6: 

Lemma 7 . Let <p be an acyclic prime Horn CNF, and let c be any prime implicate of 
tp such that c (j p. Then, there are prime implicates C\ and c 2 of <p and, for some 
k > 0, prime implicates d\, d 2 , . . . ,dk and literals l\ ,£2, ,&k> respectively, such 

that: (i) C\,d \, . . . , dk £ p, and (ii) c = c\ ® ei, where e* = c U {£i} = di © e,:+i,/or 
i £ {1, . . . , k}, and e^+i = c 2 , such that e.j contains the single prime implicate c. 

An immediate consequence of this result is that prime implicates of an acyclic Horn 
CNF can be generated from two prime implicates as follows. 

Corollary 2 . Let ip be an acyclic prime Horn CNF, and let c be any prime implicate of 
tp such that c (j p. Then, there exist prime implicates C\ and c 2 of tp which resolve such 
that either (i) c = ci © c 2 or (ii) C\ © c 2 = c U {i}, where i (j c and c is the unique 
prime implicate of tp contained in c\ © c 2 . 

In Example 5, the further prime implicate X\ V x :i can be derived as in case (ii) of 
Corollary 2: For c\ = xo V Xi V x 2 and c 2 = x 2 V £3, we have ci © c 2 = X\ V X3 V xq, 
and c = x\ V X3 is the unique prime implicate of tp contained in ci © c 2 . 

After the preparatory results, we now show that Algorithm n-Explanations is com- 
plete. Using an inductive argument on clause orderings, we show that all explanations 
are generated by taking into account possible derivations of prime implicates as estab- 
lished in Lemma 7 and Corollary 2. However, an inductive proof along < encounters 
two major difficulties: First, the resolvent c = ci © c 2 of two clauses is larger than c± 
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and C2, thus we cannot simply rearrange resolution steps and appeal to smaller clauses. 
Second, Algorithm n-Explanations does not generate prime implicates d! by a reso- 
lution step alone, but using minimization in Step 3 ; that is, a prime implicate included 
in the resolvent d = c ® d . A respective statement is much more difficult to prove than 
the one if d were prime. 

In order to overcome these difficulties, we use a more sophisticated ordering of 
clause pairs (c, d) and establish as a stepping stone the following key lemma. For ease 
of reference, let us say that resolvable implicates ci and c-i of a Horn CNF p satisfy the 
(technical) property (*), if the following conditions hold: 

1 . At least one of ci and c-± is prime. 

2 . If Ci is not prime, then it is of form c,; = d U {£}, where d is the unique prime 
implicate of p contained in c,; ( i £ { 1 , 2 }), and c* occurs in some derivation of d as 
in Femma 7 . 

3 . There is no implicate d x C c \ (resp., c' 2 C C2) of p such that c = d x © C2 (resp., 
c = ci © d 2 ). 



Lemma 8 (Key Lemma). Let p be a prime acyclic Horn CNF, and let c x and c 2 be 
resolvable clauses satisfying (*) such thatq £ c := c x © C2. Suppose that c* £ S ifci is 
prime and q £ N(cf) ( resp ., c' G S if a = c[ U {If} where d % is prime and q £ N{dff) 
for i £ { 1 , 2 }. Then at least one of the following conditions hold: (i) c \ {g} is an 
implicate of p, or (ii) c contains a q-clause from S. 

Proof (Outline) We prove the statement using an inductive argument which involves 
clause orderings and takes into account how the clauses ci and C2 are recursively gen- 
erated. Depending on the shape of c x and C2, we consider different cases. 

Consider first the case in which both c\ and C2 contain q. Then, w.l.o.g. c = q V a V 
h (VXi), ci = f V 5 V x (Vxf), and C2 = b V x V q. Here, a and b are disjunctions of 
negative literals, while x is a single atom; “(Var)” means the optional presence of Xi. 

Both Ci and C2 contain a unique prime implicate c\ resp. c' 2 of p (where possibly 
dj = Ci). If q £ c'i, then by assertion we have d t £ S. Thus, if both d x and d 2 contain g, 
Algorithm n-Explanations considers d x ® d 2 , which implies the statement. No other 
cases are possible, since either d x or d 2 must contain q (since ci or C2 is prime) and 
condition 3 of (*) excludes that exactly one of d x and d 2 contains q. This proves the 
statement if both ci and C2 contain q. 

For the other cases, assume that q £ c x and q ^ c 2 and prove the statement by 
induction along the lexicographic ordering of the pairs (ci, C2), where the clauses ci 
are in reverse ordering > and the clauses c 2 in regular ordering <. We distinguish the 
following cases: 

Definite/Negative Case 1 (DN1): c = q V a V b (' Vxi ), ci = fVoVi (VXj), and 
c 2 = b V x. That is, the g-clause c is generated by resolving a g-clause ci with a 
non-g-clause C2, where the positive resolution literal x is in C2. 

Definite/Negative Case 2 (DN2): c = q V a V b ( Vx t ) , ci = q V a V x, and c 2 = 
b\J x (VXi). That is, the g-clause c is generated by resolving a g-clause ci with a 
non-g-clause C2, where the positive resolution literal x is in ci. 
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The statement is shown by a careful analysis of parent clauses of ci and C2, and by 
reordering and adapting resolution steps. DN 1 recursively only involves cases of the 
same kind (in fact, for negative ci we need to appeal only to smaller instances (c) , d 2 ) 
where <:\ is negative), while DN 2 recursively involves itself as well as DN 1 . □ 

By combining Lemma 8 with Proposition 8 and Corollary 2 , we obtain by an inductive 
argument on the clause ordering < the desired completeness result. 

Lemma 9 (Completeness of n-Explanations). Algorithm n-Explanations outputs 
all nontrivial explanations for a query \ = qfrom an acyclic Horn CNF 72. 

Proof. We prove by induction on < that S contains each (7-prime implicate c of 75. 
(Basis) Let c be the least prime implicate of 72 which contains q. From Proposition 8 and 
Corollary 2 , we conclude that c £ p must hold. Hence, c £ S. 

(Induction) Suppose the claim holds for all q-prime implicates c 1 of p such that d < c, 
and consider c. By Corollary 2 , there exist prime implicates C\ and C2 such that either (i) 
c = Ci ® C2 or (ii) c is the unique prime implicate contained in ci ® C2 = c U {£ } where 
£ c. By Proposition 8 and the induction hypothesis, we have Ci £ S if q £ N(ci ) 
holds for i £ { 1 , 2 }. Consequently, Ci and c 2 satisfy the conditions of Lemma 8. Hence, 
either (a) ci ® C2 \ {9} is an implicate of 72, or (b) ci ffi C2 contains a g-clause c' from S. 
Since q £ N(c ) and c is the unique prime implicate contained in ci ® C2, we have (b). 
It follows from the uniqueness of c that d = c, which proves the statement. □ 

We are now in a position to establish the main result of this section. Let H72H denote the 
size (number of symbols) of any CNF p. 

Theorem 2. Algorithm n-Explanations incrementally outputs, without duplicates, all 
nontrivial explanations ofx = qfrom ip. Moreover, the next output (respectively termi- 
nation) occurs within 0(s ■ (s + to) • n • ||t?||) time, where to. is the number of clauses 
in p, n the number of atoms, and s the number of explanations output so far. 

Proof. By Lemmas 5 and 9 , it remains to verify the time bound. Computing a prime 
implicate c' C c and d' £ d of 72 in Steps 2 and 3 , respectively, is feasible in time 
0 (n • H72H) (cf. Proposition 1 ), and thus the outputs in Step 2 occur with 0 (m ■ n • || 72H ) 
delay. As for Step 3 , note that O contains only pairs (c, c') where c £ 72* U S and d £ S 
such that the explanation corresponding to d was generated, and each such pair is added 
to O only once. Thus, the next output or termination follows within s • (s + to) runs 
of the while-loop, where s is the number of solutions output so far. The body of the 
loop can be done, using proper data structures, in 0 (n ■ H72H) time (for checking d! S 
efficiently, we may store S’ in a prefix tree). Thus, the time until the next output resp. 
termination is bounded by 0(s • (s + to) • n ■ H72H). □ 

Corollary 3. Computing polynomially many explanations for a negative query x — q 
from an acyclic Horn CNF 72 is feasible in polynomial time (in the size of the input). 

We conclude this section with some remarks on Algorithm n-Explanations. 

( 1 ) As for implementation, standard data structures and marking methods can be used 
to realize efficient update of the sets O and S , to determine resolvable clauses, and to 
eliminate symmetric pairs (c, c') an (c', c) in O. 
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( 2 ) Algorithm n-Explanations is incomplete for cyclic Horn theories, as shown by 
the following example. 

Example 6. Consider the Horn CNF p = (x 0 V Si V £2) (So V Si V £3) (Si VS2 V 
£3) (Si V X2 V S3) (S2 V S3 V £4) over xq, . . . , X4. Note that all clauses in ip are prime, 
and that .x 2 and £3 are symmetric. There are three further prime implicates, viz. Ci = 

51 V S2 V X4, C2 = Si V S3 V X4 , and C3 = So V Si V X4. Thus, q = So has the 

nontrivial explanations E\ = {x\,X2], E2 = {xi,S3}, and £3 = {£i,£ 4}. Apply 
then algorithm n-Explanations on input p and q = xq . While it outputs E-\ and E2, it 
misses explanation £3. □ 

Algorithm n-Explanations may be extended to handle this example and others correctly 
by adding in Step 2 prime implicates to p* which are generated in polynomial time (e.g., 
by minimizing clauses derived by resolution proofs from ip * whose number of steps is 
bounded by a constant). 

( 3 ) Algorithm n-Explanations is no longer complete if we constrain the resolution 
process to input resolution, i.e., consider only pairs (c, <:') in Step 3 where at least 
one of c and d is from p (which means that in the update of O in Step 3 , the part 
“{(d", d') | d" £ 5 }” is omitted). This is shown by the following example. 

Example 7 . Consider the Horn CNF p = (x 0 V £i)(£i V £2 V £3 )(xi V S3 V X4) 
over £0, . . . ,£4. As easily seen, tp is acyclic. Moreover, p is prime. There are three 
further prime implicates containing So, viz. ci = So V S2 V £3, C2 = So V S3 V X4, 
and C3 = So V S2 V X4. Hence, q = So has the nontrivial explanations Ei = {Si}, 
E 2 = {X2, S 3 }, £3 = {x 3 , S4}, and E4 = {x 2 , S4}. If at least one of the clauses (c, d) 
in Step 3 must be from p, then E 2 and £3 are generated from (Si VS2 V£3, So Vsi) and 
(Si V S3 V X4, So V xi), respectively, while E4 is missed: The pairs (Si V S3 V X4, So V 

52 V X3) and (Si VS 2 V £3, So V S3 V £4) yield the same resolvent So V Si V S2 V X4, 

for which p* \f=- (c © d \ {g}) fails since Si V S2 V £4, which is the resolvent of the last 
two clauses in p, is an implicate. Note that £4 is generated from each of the excluded 
symmetric pairs (So V S2 V £3, So V S3 V £4) and (So V S3 V £4, So V S2 V £3). □ 

In terms of generating prime implicates, this contrasts with the cases of computing all 
prime implicates of a Horn CNF and all prime implicates that contain a positive literal 
q , for which input-resolution style procedures are complete, cf. [2,1 1]. 

5 Compound Queries 

In this section, we consider generating all explanations for queries beyond literals. The- 
orem 1 implies that this problem is intractable for any common class of CNF queries 
which admits a negative literal. However, also for positive CNFs, it is intractable. 

Theorem 3 . Deciding whether a given CNF x has an explanation from a Horn CNF p 
is NP -complete. Hardness holds even if x is positive and p is negative (thus acyclic). 

Proof. Membership in NP easily follows from Lemma 1. Hardness is shown via a 
reduction from the classical EXACT HITTING SET problem. Let S = {Si, . . . , S m } 
be a collection of subsets S; C jj of a finite set U. Construct % = /\ i ( \J ueS . ) and 
p = /\ ; A x^yes O^ V y). Then \ has an explanation from p iff there exists an exact 
hitting set for S, i.e., a set H C U such that \H fl Sj| = 1 for allz G { 1 , . . . , m}. □ 
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For important special cases of positive CNFs, we obtain positive results. In particular, 
this holds if the query \ is restricted to be a clause or a term. 

Theorem 4. Computing polynomially many ( resp., all) explanations for a query \ which 
is either a positive clause or a positive term from a Horn CNF (p is feasible in polynomial 
time (resp., polynomial total time). 

Proof. Let us first consider the case in which is a positive clause c = \J xe i>( rj x. Then 
let ip* = ip A Ac 6P( c )(® V x*), where x* is a new letter. As easily seen, <p* is a Horn 
CNF and there is a one-to-one correspondence between explanations for a query \ from 
tp and the ones for x* form tp* (except for a trivial explanation x*). This, together with 
the result in [1 1] that all explanations for a query \ = q where q is an atom from a Horn 
CNF can be generated with incremental polynomial delay, proves the theorem. 

Similarly, if ^ is a positive term t = Axep(t) x, one can consider explanations for 
x* from the Horn CNF ip* = tp A (V xeP ^ x V x*), where x* is a new letter. □ 

In case of acyclic Horn theories, the positive result holds also in the case where negative 
literals are present in a clause query. 

Theorem 5. Computing polynomially many (resp., all) explanations for a query x = c 
where c is a clause from an acyclic Horn CNF ip is feasible in polynomial time (resp., 
polynomial total time). 

Proof. Let * = V*eP(c) % V VxeJV(c) Then let P* = P A A xe p(c)(^ V x*) A 
AxeJV(c) (x V x*), where x* is a new letter. It is not difficult to see that <p* is an acyclic 
Horn CNF, and there is a ono-to-one correspondence between explanations for a query 
X from tp and the ones for x* from tp* (except for a trivial explanation x*). This together 
with Theorem 2 proves the theorem. □ 

Note that explanations for a single clause query x = c correspond to the minimal support 
clauses for c as used in Clause Management Systems [22]. Thus, from Theorems 1 and 5 
we obtain that while in general, generating all minimal support clauses for a given clause 
c is not possible in polynomial total time unless P = NP, it is feasible with incremental 
polynomial delay for acyclic Horn theories. 

The presence of negative literals in a query x — t for a term t from an acyclic 
Horn theory is more involved; a similar reduction technique as for a clause to a single 
literal seems not to work. We can show that generating all nontrivial explanations E 
(i.e., K n x = A for a term is intractable; the case of all explanations is currently open. 

6 Conclusion 

We considered computing all abductive explanations for a query x from a propositional 
Horn CNF tp, which is an important problem that has many applications in AI and Com- 
puter Science, We presented a number of new complexity results, which complement 
and extend previous results in the literature; they are compactly summarized in Table 1. 

We showed the intractability of computing all abductive explanations for a negative 
literal query x from a general Horn CNF tp (thus closing an open issue), while we 
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Table 1 . Complexity of computing all abductive explanations for a query x from a Horn theory 
(PTT = polynomial total time, NPTT = not polynomial total time unless P=NP) 



Query x 

Horn theory E, by 


CNF 


single literal 


single clause 


single term 


general positive 


atom q q 


positive general 


positive general 


Horn CNF p 


NPTT NPTT 


PTT a NPTT 


PTT NPTT 


PTT NPTT 


Acyclic Horn CNF p 


NPTT NPTT 


prprpa PTT 


PTT PTT 


PTT 



“ By the results of [1 1], 



presented a polynomial total time algorithm for acyclic Horn CNFs. Since this amounts 
to computing all prime implicates of p which contain q, we have obtained as a byproduct 
also new results on computing all such prime implicates from a Horn CNF. Note that 
our intractability result contrasts with the result in [2] that all prime implicates of a 
Horn CNF are computable in polynomial total time. Furthermore, our results on clause 
queries imply analogous results for generating all minimal support clauses for a clause 
in a Clause Management System [22] . 

It remains for further work to complete the picture and to find further meaningful 
input classes of cyclic Horn theories which permit generating a few resp. all explanations 
in polynomial total time. For example, this holds for clause queries from quadratic Horn 
CNFs (i.e., each clause is Horn and has at most 2 literals) and for literal queries from 
Horn CNFs in which each clause contains the query literal. Another issue is a similar 
study for the case of predicate logic. 
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Abstract. In [1,2] Zhang shows how the complexity of cut elimination 
depends on the nesting of quantifiers in cut formulas. By studying the role 
of contractions we can refine that analysis and show how the complexity 
depends on a combination of contractions and quantifier nesting. With 
the refined analysis the upper bound on cut elimination coincides with 
Statman’s lower bound. Every non-elementary growth example must dis- 
play a combination of nesting of quantifiers and contractions similar to 
Statman’s lower bound example. The upper and lower bounds on cut 
elimination immediately translate into bounds on Herbrand’s theorem. 
Finally we discuss the role of quantifier alternations and show an ele- 
mentary upper bound for the V — A-case (resp. 3 — V-case). 



1 Introduction 

The most commonly used proofs of cut elimination by Sclrwichtenberg[3] and 
Buss[4] give an estimate of the depth, resp. size, of a cut free proof in terms 
of the (logical) depth of the largest cut formula and the depth, resp. size, of 
the original proof. As shown by Zhang[l,2] this bound can be refined by dis- 
tinguishing between propositional connectives and quantifiers in the complexity 
analysis of cut elimination, showing that the elimination of quantifiers causes 
the non-elementary complexity. We derive a proof of Zhang’s improved result 
from Buss’s (clear and understandable) proof of cut elimination in [4]. In [5,6] 
Lucklrardt discusses simplifications of Zhang’s result, which originally motivated 
the proof given below. 

Analysing contractions we can show that all non-elementary growth examples 
for cut elimination must display both nested quantifiers and also contractions on 
ancestors of cut formulas. If the proof is contraction free or if one restricts con- 
traction w.r.t. the nesting of quantifiers in contracted formulas, cut elimination 
can be shown to be elementary. We discuss how Statman’s lower bound example 
displays an optimal combination of nested quantifiers and contractions, and how 
Statman’s lower and our refined upper bound coincide. These bounds translate 
directly into bounds on the size of a Herbrand disjunction, i.e. the number of 

* Basic Research in Computer Science (www.brics .dk), funded by the Danish National 
Research Foundation. 
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different formula instances in the disjunction. Finally we discuss a further re- 
finement of cut elimination based upon eliminating arbitrary V — A-cuts (resp. 
3 — V-cuts) with exponential complexity. 



2 Notation and Definitions 



2.1 The Calculus LK 

We use a version of the sequent calculus LK. We write x,y,z for bound and 
a, (3 , 7 for free variables. Terms and formulas are defined in the usual way. An 
LK-proof is a rooted tree in which the nodes are sequents. The root of the tree is 
called the end-sequent, the leaves A h A for atomic formulas A are called initial 
sequents. All nodes but the initial sequents must be inferred by one of the rules 
below. Proofs are denoted by (j), \ and ij). T, A, 77 and A serve as metavariables 
for multisets of formulas. The multiset of formulas to the left of the separation 
symbol b is called antecedent, the multiset to the right is called succedent. 

The logical rules are: 



A,B,T\- A 
A A B, T \- A A : 

a,b\-a B,n a 
a\j B,r,n b a, a 

r\-A,A B,nkA 
a ^ B,r,n b a, a 

r\- a, a 
- i a, r\- a " : 1 



r\-A,A 77 b A, 73 

r,n\ a,a,aab 

r\-A,A,B 
r\- A, AV B v : 

A,r b A,B 
r\- A, A^ B ~ * 

A,r b a 
r i- a, -i a : 7 



r, A{x <-(}bi 
r, {Vx)A b A 



7b A, A{x^~ a} 
r\- A, (Vx)A 



V :r, a(£ FV(\/xA(x)) 



r b A,A{x a- t} 
7b A, (3x)A 



B, A{x <— a} b A 
r, (3 x)A b A 



3:1, a £ FV (3xA{x)) 



V : r (resp. 3 : l) must fulfill the eigenvariable condition, i.e. the free variable a 
does not occur in F b A. In V : l (resp. 3 : r) t may be an arbitrary term, but 
admitting only free variables. 



The structural rules are: 



7bzl 
A, 7 b A 



w : l 



r i- a 

7 b A, A 



w : r 



A.A.Fi A 
A,r\-A c : 1 



7b A, A, A 
7 b A, A 



c : r 



r\-A,A A, 77 b A 



F,Fth A, A 



cut 
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Weakening and contraction inferences are called weak inferences. All other infer- 
ences are called strong. In the contraction free case the above multiplicative ver- 
sion of LK corresponds to the multiplicative fragment of affine linear logic [7, 8], 
which also is discussed as direct predicate calculus in [9,10]. 

2.2 Definitions: Properties of Terms, Formulas and Proofs 

Definition 1. (free variable normal form). A proof <f> is in free variable normal 
form if no variable that is free in the end-sequent, is used as an eigenvariable 
somewhere in the proof and every other free variable appearing in <f> is used 
exactly once as an eigenvariable and appears in <f> only in sequents above the 
inference in which it is used as an eigenvariable. 

Definition 2. mid-sequent. A proof 4> is in mid-sequent form if it can be divided 
in an upper, quantifier-free part and a lower part, consisting only of quantifier 
inferences and contractions. The last sequent before the first quantifier inference 
is called the mid-sequent. 

Definition 3. (depth and size of a proof). The depth |^| of a proof is the depth 
of the proof tree, counting only strong inferences and axioms. The size ||0|| of a 
proof )> is the number of strong inferences and axioms in the proof. 

Definition 4. (depth of a formula). The depth |A| of an atomic formula A is 
defined as |A| = 0. For formulas A and B we define \ A V B\ = | A A B\ = \A — > 
B | = max(\A\, |B|) + 1, and |-iA| = \ixA(x)\ = |3xA(a:)| = |A| + 1. 

Definition 5. (cut-rank p of a proof). The cut-rank of a proof <j> is the 
supremum of the depths of the cut formulas in 4>. 

Definition 6. (nested quantifier depth of formulas and proofs). The nested 
quantifier depth nqf(A) of an atomic formida A is defined as nqf(A) = 0. 
For formulas A and B we define nqf(A V B) = nqf(A A B) = nqf(A —»£?) = 
max(nqf(A),nqf(B)), nqf(->A) = nqf(A), and nqf(\/xA(x)) = nqf(3xA(x)) = 
nqf(A) + 1. The nested quantifier depth nqf(<j)) of a proof <j> is the supremum of 
the nested quantifier depths of the cut formulas in <p. 

Definition 7. (propositional depth of formulas). Let B be a formula occurrence 
in A and let A be constructed from B and other formulas by propositional connec- 
tives only. Then the propositional depth of B in A is the number of propositional 
connectives which have to be removed from A to obtain B. 

Definition 8. (deepest quantified formulas and proofs). For a formida A we 
define dqf(A) as the supremum over the propositional depths of subformulas B 
of A which have nqf(B) = nqf(A). Let 4> be a proof of T b A. Then dqf(cj)) is the 
supremum over dqf(Af) for cut formulas Ai in <f> which have nqf(Ai) = nqf(4>). 

Definition 9. (the hyper- exponential function). The hyper- exponential function 
2* is defined as 2g = x and 2* +1 = 2 2 ". We write 2 n for 2°. 
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3 Cut Elimination 

3.1 Zhang’s Refined Bound on Cut Elimination 

To prove Zhang’s refined upper bound on cut elimination we state the following 
Refined Reduction Lemma: 

Refined Reduction Lemma. Let <p be an LK-proof of a sequent T h A with 
the final inference a cut with cut formula A. Then if for all other cut formulas 
B 

(i) nqf(A) > nqf(B) and dqf(<p) = dqf (A) > dqf(B), then there exists a 
proof <p' of the same sequent with dqf (ip') < dqf(cp ) — 1 and \<p'\ < \<p>\ + 1. 

(ii) nqf(cp) = nqf(A) > nqf(B) and dqf (A) = 0, then there exists a proof 
cp' of the same sequent with nqf (<p') < nqf(cp ) — 1 and \<p'\ < 2 • \<p\. 

If the cut formula A is atomic and both subproofs are cut free, then there is 
a cut free proof (p' with \<j>'\ < 2 • \<p\. 

Proof: The proof is by cases on the structure of the cut formula A. We assume 
w.l.o.g. that (j> is is free variable normal form and that for no cut formula all 
direct ancestors in either subproof are introduced by weakenings only, as the 
reduction is trivial in that case. We implicitly skip weakening inferences that 
introduce a direct ancestor to a cut formula. This can be done without harming 
the validity of the proof transformations given below. 

Case 1: A = ->B. We then have the final inference of (p: 

x *P 

t\-a,^b -nB,n\-A 

cut 

r,nhA,A 

We transform the proofs x an d ip into proofs x! an d V ,/ °f the sequents B, T b A 
and II b A, B respectively. In \ we find all -i : r inferences which introduce a 
direct ancestor of ->B. By skipping these inferences, and replacing contractions 
to the right on ->B with contractions to the left on B , we obtain a proof of 
B,r b A. The transformation of ip into ip' is similar. The final inference of the 
modified proof cp' is then: 

x' 

nhA,B b,t\-a 
r,n b a, a cut 

Trivially dqf{cp') < dqf{(p) — 1 and l^'l < \<p\. 

Case 2a: A = i? V C. We then have the final inference of tp: 

x 

Th A,BVC B v c, n h A 

r,n h a, a cut 



We transform the proofs x and ip into proofs yf of the sequent T b A, B,C, and 
into proofs ipB and ipc of the sequents B,II b A and C, LI b A respectively. In 
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% we skip the V : r inferences where direct ancestors of the cut formula B V C 
are introduced and replace contractions on B V C by contractions on B and C. 
For the transformed proof \’x'\ < |%|. To transform ip into ipB we replace all 
inferences where a direct ancestor of the cut formula B\J C has been introduced 

7 TO TTl 

B,n 0 \-Ao C, J7i b A 1 
B v c,n’ \- A’ v ' 



(with n' = 77q U 77i and A' = Aq U A\) with inferences 



770 

B, n 0 b yl 0 
B,n r b A! 



w : l,r 



We replace contractions on B V C with contractions on B. The proof for tpc 
is obtained in a similar way. In both instances no strong inferences have been 
added to the proof, so \^b\ < |^| and \ipc\ < |V’|- The transformed proofs can 
then be combined to a new proof q S' in the following way: 



X' V’s 

B,n\-A jj 

T,j7hzI,yi,C cut C,II\-A 

r, n P z\, a 



cut, c : r,l 



Then dqf (ft) < dqf{(f>) - 1 and \4>'\ = sup{\\'\, \ipc\) + 2 < \<t>\ + 1. 
Case 2b+ c: A = B /\ C, A = B — > C. These cases are symmetrical to 2a. 
Case 3a: A = 3xB(x). We then have the final inference of the proof: 

x 

r b A, 3xB(x) 3xB(x),n\~A 

r,n\- A, A cut 



In the subproof \ we fi n( l k 3 : r inferences where direct ancestors of the 
formula 3xB{x) have been introduced and enumerate these (for 1 < i < k) 



Tt b Ai,B(ti) 

Bi b A h 3xB(x) ' r 



Similarly in ip we enumerate ail 13:1, inferences which introduce a direct ancestor 
of the cut formula as (for 1 < j < l) 

B(ctj), Ilj b Aj 
3xB{x), Ilj b Aj 

We obtain proofs ipi of the sequents B(ti ), 17 b A by replacing in ip all l variables 
aj with the term tj. This is unproblematic since the proof is in free variable 
normal form. We replace the contractions on 3xB{x) by contractions on B(ti). 
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We construct a proof <p' by replacing the k enumerated quantifier introductions 
in x with cuts, so that the inferences become 



')C‘i 

b Ai,B(ti) B(ti),n\- A 

T~TTVa~a 3:r 

We contract multiple copies of 77 and A in the end sequent to make (p' a proof 
of T, 77 b A, A. Trivially nqf{6') < nqf(<p) — 1 and since I yd < Ivl < \6\ and 
IV’il < IV’I < \4>\ and \(p'\ < |x| + sup{\i>i\}, also \cp'\ < 2 • \<p\. 

Case 3b: A = MxB(x). This case is symmetrical to 3a. 

Case 4: A is atomic. We then have the final inference: 

X ip 

rhz\,A A,n\-A 

r,n b a, a cut 

By assumption x and ip are cut free. We obtain the desired proof by modifying 
the proof ip of A, 77 b A. We remove from ip all direct ancestors of the cut 
formula A and add r and A to the antecedent, resp. succedent, of each sequent, 
where an ancestor of the cut formula A has been removed. We then ensure all 
initial sequents in ip have valid proofs. The initial sequents B b B for B ^ A 
do not need new proofs. For r b A, A we use the (cut free) subproof x> thus 
obtaining a proof of r k , 77 b A k , A, where k is the number of initial sequents we 
had to “repair”. By contractions we arrive at a proof <p' of 7”, A b 77, A, where 
cp' is cut free and \(p'\ < 2 • \cp\. □ 

We use the following lemmas to prove Zhang’s refined cut elimination theorem: 

Lemma 10. Let <p be an LK-proof of a sequent 7” b A. If dqf(cp) = d > 0, then 
there is a proof cp' of the same sequent with dqf(<p') = 0 and \cp'\ < 2 d ■ \(p\. 

Proof: By the Refined Reduction Lemma and induction on d. □ 

Lemma 11. Let <p be an LK-proof of a sequent r b A. If dqf(<p) = 0 and 
nqf(cp) = d > 0, then there is a proof (p' of the same sequent with nqf((p') < <7—1 
and \(p'\ < 2^1 . 

Proof: By the Refined Reduction Lemma and induction on \(p\. □ 

First Refined Cut Elimination Theorem. Let <p be an LK-proof of a se- 
quent r b A. If nqf(<p) = d > 0, then there is a proof cp' of the same sequent 
and a constant c, depending only on the propositional nesting of the cut formulas, 
so that nqf(cp') < d— 1 and \cp'\ < 2 C 'I^. 

Proof: Assume we have a proof with dqf(cp) = k and nqf(cp) = d. Then by 
Lemma 10 we get a proof </>" with dqf{(p") = 0 and \(p"\ < 2 k ■ \<p\. Let c > 2 k , 
then by Lemma 11 we get a proof cp' with nqf(cp') < d — 1 and \(p'\ < 2 C '^. □ 
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Corollary 12. Let (f be an LK-proof of a sequent T b A and let nqf(<ft) = d. 
Then there is a constant c, depending only on the propositional nesting of the cut 
formulas, and a proof (ft of the same sequent where (ft is cut free and \(ft\< 2 ^ . 

Proof: By the First Refined Cut Elimination Theorem and induction on d. □ 

3.2 The Role of Contractions in Cut Elimination 

We show that if no direct ancestor of a cut formula has been contracted, the 
cut can be reduced by a mere rearrangement of the proof. We define cnqf, the 
contracted nested quantifier depth, of formulas and proofs. 

Definition 13. Let A be a cut formula in a proof and let f?i, f? 2 , ■ ■ . , Bk be 
ancestors of A, s.t. Bi is a principal formula in a contraction inference. Then 
the contracted nested quantifier depth cnqf (A), is the supremum over nqf(Bi). 
For a proof (f> cnqf {(f) is the supremum over cnqf {At) for cut formulas T,;. 

We state the following variant of the reduction lemma: 

Lemma 14. Let (f> be a proof with the final inferencea cut with cut formula A, 
where there have been no contractions on direct ancestors of the cut formula. 
Then if for all other cut formulas B 

(i) nqf{A) > nqf{B) and dqf{A) = 0, then we can find a proof (ft of the 
same sequent with nqf((ft) < nqf{(j>) — 1 

(ii) nqf{A) > nqf{B) and dqf{A) > dqf{B), then we can find a proof (ft of 
the same sequent with nqf{(ft) = nqf{(ft) and dqf{<ft) < dqf{(ft) — 1 

(Hi) A is atomic and the subproofs are cut free, then we can find a cut free 
proof (ft of the same sequent 

where in all cases no new contractions have been added to (ft and ||<^'|| < ||^||. 
Proof: The proof is by cases on the structure of A. 

Case 1: A = ->£?. We use the same proof transformation as before. No new 
contractions have been added to (ft , so dqf{(ft) < dqf{(ft) and ||<//|| < ||^||. 

Case 2a: A = BV C. Since no contractions have been made on direct ancestors 
of the cut formula, we can find the unique inferences where the V-connective has 
been introduced. Those inferences are (in y, resp. if): 

Xo ft>o 4>i 

r' \- A! , B, C B,n 0 hA 0 

fhzl',BVC V ' r B\ZC,TT\- A' ' r 

where LI' = LIq U ZZi and A' = AqU A±. We construct the following new proof: 
Xo V’o 

r' f A', b, c b, n 0 f a 0 ^ 

r',n 0 \- A',Ao,c c. u, h a, 



r’,n' b A', A' 



cut 
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The remaining steps to get a proof of T, 77 b A, A are as in the subproofs x and 
if) respectively. In the new proof (ft we replaced two V-introductions and a cut by 
two new cuts. No new contractions have been added to (ft , so dqf ((ft) < dqf((ft) — l 
and II^H < ||^||. 

Case 2b+ c: A = B A C, A = B — ► C. These cases are symmetrical to 2a. 

Case 3a: A = 3 xB{x). We again know that in \ there is a unique inference 
where the quantified variable x has been introduced for some term t: 

r b A', B(t) 
r' b A',3xB(x) 3 : r 

The subproof %[ can be transformed to a proof ift of B(t),II b A as described 
earlier. These proofs can now be combined to a new proof (ft by replacing the 
inference in \ with a cut 

x' fp' 

r'\-A',B(t) B(t),n\-A 

r,n^ A', a cut 

and then continuing with \ as before. We skip some inferences and then rearrange 
the proof, adding no new contractions, so nqf (<//) < nqf{(j)) — 1 and H^'H < ||^||. 

Case 3b: A = \/xB(x). This case is symmetrical to 3a. 

Case 4: A is atomic. Again we know there is exactly one ancestor to the cut 
formula in each subproof. We showed earlier how to obtain a cut free proof of 
r k ,II b A k ,A, where k was the number of direct ancestors of the cut formula 
A in the left subproof Since now fc = 1 we automatically have a proof 4>’ of 
r,I7b A, A, and \\<j/\\ < \\(f>\\. ' □ 

Contraction Lemma. Let (f> be an LK-proof of a sequent Tb A, with nqf ((f) > 
cnqf(cf>) then there is proof cf' of the same sequent with nqf ((ft) = cnqf(<ft) and 
Ill'll < ||0||. As a consequence also \(ft\ < 2^1 

Proof: By induction on the number of uncontracted cuts and Lemma 14 we 
get a proof (ft s.t. nqf((ft) = cnqf((ft) and ||<^/|| < ||0||. By ||0|| < 2^1 and 
\<ft\ < Ill'll we get \(ft\ < 2^1. □ 

Second Refined Cut Elimination Theorem. Let (f> be an LK-proof of a se- 
quent T b A. Then there is a constant c depending only on the propositional 
nesting of the cut formulas and a cut free proof (ft of the same sequent where 

W\- 2 mqf(4>)+2 ■ 

Proof: By the Contraction Lemma and Corollary 12. □ 

Remark. In the contraction free case, i.e. for the multiplicative fragment of 
affine linear logic, we get an exponential upper bound on cut elimination. A 
comparable result was shown by Beilin and Ketonen in [10]. 
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If we compare the results of this section with previous results by Schwichtenberg[3], 
Buss[4] and Zhang[l,2], we get the following table: 



bound 


complexity\ ■ \ 


complexity \\ ■ || 


S chwichtenberg 


o!0I 
P( 0 ) + 1 


oIM 

p(</>)+2 


Buss 


- 


r 9I1011 

Z 2-p(0)+2 


Zhang 


9 C 'I0I 
««/(0) + 1 


O C 'II0II 

nqf(<t>)+2 


Gerhardy 


O c -I0l (.\ 

Z cn<7/(^)+2V*/ 


o c 'll0ll 77' T~ 

Z cnq/(0)+ 3^*1 



(*) In the case that cnqf(rf)) = nqf((j > ) we can, as discussed, use the estimates based 
on nqf() to match Zhang’s bound. 



3.3 Statman’s Theorem 

A Kalmar non-element ary lower bound on Herbrand’s theorem, and hence also 
cut elimination, was first proved by Statman[ll]. Statman’s theorem states that 
there exist simple sequents S n , for which we have short proofs (of depth linear in 
n), but for which every cut free proof must have depth at least 2 n . The original 
example used by Statman is formulated in relational logic. Later presentations 
are due to Orevkov[12] and Pudlak[13]. We will present Pudlak’s version of the 
theorem, which uses a simple fragment T of arithmetic 

Let the theory T be the language with function symbols +,-,2*A, relation 
symbols =,/(.) and constants 0,1. The theory T has the following non-logical 
axioms: (x + y) + z = x + (y + z), y + 0 = y, 2° = 1, 2 X + 2 X = 2 1+x , 1(0) and 
I(x) — > 1(1 + x). 

We want to prove the sequents S n = Ax+ e q b /( 2 n ), expressing that T with 
some equality proves 2„ is an integer. Here /\ A^+eq is the universal closure 
of a finite conjunction of axioms from T and equality axioms over T. For the 
short proofs of S n we make use of recursively defined relations Ri : Rq := I, 
Ri + \(x) := My(Ri(y) Ri(2 x + y)). The proofs will employ subproofs fa and 

as presented in [14]. Both </>j and ^ have short, almost cut-free proofs, as only 
some cuts on instances of equality axioms are needed. 

We give a sketch of short proofs n n of the sequents S n . For convenience 
and readability Ar+eq is only written in the end-sequent, though it is used 
throughout the proof. The cut and contraction inferences that are critical for 
the non-elementary complexity are marked with a *. 



•01 

H -Ri(O) 



H R 2 (2 n _ 2 )R 2 (2 n _ 2 ),R 1 (0) h Hi(2„_0 



i?i(0) I- Hi(2„_i) 



00 

H Ro(0) 



h Hl(2„_!) 



ut(*) 



00 

Jil(2n-l), -Ro(O) H Ro(2n 



Ro(0) H fl 0 (2„) 



Ar+eq I - R o(2n) 



cut(*) 



The proof continues in a symmetric fashion, ending with the top line: 
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Ipn 

h R n (2 n _ n= o) fi„(2o),-R„-i(0) h -R„-i(2i) 

fln-l(O) h Rn.-i(2 1 ) 



cut 



which can be simplified as 



fi n _i(0) h Rn — i (2i) 



The subproofs for <f>i and ipi are simple proofs of depth linear in n. We show 
the proof of ipi, as it is in these proofs that ancestors of cut formulas Rf 0) are 
contracted. The proofs 4>i are contraction free. The proof tpi is: 



Ri- 2 (2 /3 + a) h fli_ 2 ( 2^ + a) fl i _ 2 (2 1 +' 3 + a) h i? i _ 2 (2 1 +' 3 + a) 

Hi- 2(2 /3 + a) -> H i _ 2 (2 1 +' 3 + a). fl i _ 2 (2' 3 + a) I- H i _ 2 (2 1 +' 3 + a) 

H*_l(/3),H i _ 2 (2' 3 + a) h H i _ 2 (2 1 +' 3 + a) ' K i _ 2 ( (t ) 1 Ri_ 2 (a) 

— ^ : l, r 

Hi_i03),Hi_2(c«) -> Hi-2(2 /3 + a) h Hi_ 2 (a) fli_ 2 (2 1+/3 + a) 

e Hi-^i + a) : ,T ’ 

c:l(*) 

li i _ 1 (/3)lfl,_ 1 (l + /J) 

— y : r 

h Hi_i(/3) -> Hi_i(2° +/3) 

V : r 

A-T + eq •“ -Ri(O) 

The proof necessary for the simplification of the top line of the proof n n is 
obtained from ip n by skipping the last two inferences and substituting 0 for (3 
throughout the proof. For more details on the proofs </>, and ipi see [14] and [15]. 

Proposition 15. There exist short proofs 7r„ of sequents S n s.t. |7T„| < 0(n). 

Proof: See Pudlak[13], Baaz/Leitsclr [14] or Gerlrardy[15]. □ 

To estimate the lower bound for the complexity of cut elimination we will use 
a property of mid-sequents. It is common to extract mid-sequents from cut free 
proofs, but it can be shown that proofs with all cuts quantifier free suffice. 

Proposition 16. Let <p be a proof of a prenex formula A with at most quantifier 
free cuts, then we can extract a mid-sequent and bound the number of non- 
identical formida instances of A in the mid-sequent by 2^1. 

Proof: In Appendix. □ 

Since we can derive a Herbrand disjunction from a mid-sequent we immediately 
have the following theorem: 

Theorem 17. Let (f> be a proof of a prenex formula A, then for some constant c 
the number of formida instances of A in a Herbrand disjunction can be bounded 
by 2 C ' W resv 2 C ' W 

Proof: By the Second Refined Cut Elim. Theorem and Proposition 16. □ 

Lemma 18. Let S n =b 3 . . . 3(/\ Ax+ eq —> /(2„)) be the sequents as described 
above. Let Xn be a proof in mid-sequent form of the sequent S n . Then the mid- 
sequent must contain at least 2 n different instances of the axiom /( x) /(1 + x). 
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Proof: See Pudlak[13]. □ 

Theorem 19. Let the sequents S n be as described above. Then for every proof 
Xn of S n with quantifier free cuts \x n \ > 2„_i. 

Proof: By Proposition 16 we obtain a mid-sequent from a proof <f> with quantifier 
free cuts. By Lemma 18 a mid-sequent for S n must have at least 2 n different 
instances of the axiom /( x) — > 1(1 + x), and hence the proof must have depth 
at least 2 n _ 1 . □ 

To compare the obtained lower bound for cut elimination with our upper bound 
for cut elimination, we state the following theorem: 

Theorem 20. There are proofs Xn of the sequents S„ with at most quantifier 
free cuts, so that the depth of Xn can be bounded by i.e. \x n \ < 2 

Proof: By Proposition 15 there exist short proofs 7 r„, of depth linear in n, of the 
sequents S n . The cut formulas involving Ri, i < n— 1 in these short proofs have 
nqf(Ri) < n — 1. There are no cut formulas with deeper nesting of quantifiers 
in the proof. From the proof of Corollary 12 it follows that we can bound the 
depth of a proof with quantifier free cuts by \x n \ < ■ □ 

The Second Improved Cut Elimination Theorem givesno further improvement of 
the upper bound, since sufficiently complex subformulas of cut formulas f?i(0) 
are contracted in the subproofs ipi, i.e. cnqf(ir n ) = nqf(n n ). This demonstrates, 
how efficient these short proofs are in their use of cuts and contractions. Every 
non-elementary growth example must employ a similar combination of nesting 
of quantifiers and contractions, as we have shown that cut elimination in the 
absence of either becomes elementary. 

Remark. In [16] Carbone defines the so-called bridge-groups of proofs which 
capture the structure of a proof w.r.t. cuts and contractions. It is shown that short, 
proofs of Statman’s example correspond to the so-called Gersten-group for which 
distortion into cyclic subgroups is hyper- exponential. Carbone conjectures that 
for bridge-groups the complexity of distortion into cyclic subgroups characterizes 
the complexity of cut elimination for the corresponding proofs. Since the Gersten 
group is the only known 1-relator group with hyper- exponential distortion this 
further suggests that Statman’s lower bound example is a characteristic example 
of the non-elementary complexity of cut elimination. 

In comparison to the refined upper bound, the bounds obtained from Schwicht- 
enberg’s and Buss’s cut elimination theorem both estimate the complexity in 
the logical depth of the cut formulas Ri, where \Ri\ = 2 i. Comparing Statman’s 
lower bound to Schwichtenberg’s and Buss’s upper bounds, we notice a substan- 
tial gap between the upper and the lower bound. With the improved analysis of 
cut elimination the gap between our upper and Statman’s lower bound is now 
closed. In tabular form the bounds on proofs with quantifier free cuts compare 
as follows. Note that the bounds on the size of a proof equivalently give a bound 
on the size of a Herbrancl disjunction: 
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H 


|| • || (Her brand) 


Statman / Pudlak ( lower bound) 


2n-l 


2 


Schwichtenberg ( upper bound) 


9 6>(n) 

z 2n-2 


o<S>(n) 
z 2n— 1 


Buss ( upper bound) 


- 


9 <9(n) 
z 4n— 3 


Zhang /Ger hardy (upper bound) 


9 <9(n) 
z n- 1 


o 0{n) 



Remark. In [1] Zhang also states that the upper and lower bound coincide. His 
statement relies on two propositions: that there are, as shown above, proofs of 
the sequents S n of depth linear in n with nqf() < n — 1, and that every cut 
free proof of the sequents S„ must have hyper- exponentially in n many quantifier 
inferences in serial. For the first proposition no proof is given in Zhang’s paper, 
for the second proposition a counterexample is presented in [15]. 



3.4 Further Improvement of the Cut Elimination Theorem 

We can show that if all cut formulas are composed exclusively of atomic for- 
mulas and V and A connectives (resp. 3 and V), cut elimination is exponential, 
regardless of the nesting of V (resp. 3) quantifiers. For arbitrary cut formulas 
the complexity depends on the number of alternating V — A and 3 — V blocks, as 
was shown in [2]. We discuss two propositions that naturally lead to the result. 

Proposition 21 . Assume we have in a proof 4> a cut inference with the cut 
formula VxB (x) . Then we can eliminate that block of quantifiers simultaneously, 
replacing the cut with a number of cuts with B(t), for appropriate terms t. For 
the modified proof (/>' we have that \ <p'\ < 2 • \<j>\. 

Proof: Let the cut inference be: 

^ X 

r\- A,V...VxB(x) V...VxB(x),n\-A 

r.n \- a. a cut 

In x we enumerate the l inferences where an innermost V quantifier of an ancestor 
of the cut formula is introduced as (for 1 < i < l) 

B(tix > * • * 5 li.n ) , B, \~ A, ^ i 

t/x n B(ti : i , . . . , ti^ n —i , X n ) , Hi I - A., 

Similar to the earlier proof transformation in the V-case, we can obtain proofs 
'ipi of the sequents fh4, f?(ti,i, . . . , tj, n ). Replacing the enumerated inferences 
in x by cuts with Bft^ i, . . . , fj >n ) we obtain the desired result. □ 

Proposition 22 . Assume we have in a proof <j> a cut inference with the cut- 
formula A"=i Bi- Then we can eliminate all those conjunctions simultaneously, 
replacing that cut with a number of cuts with Bi. For the modified proof <f>’ we 
have that \(f>'\ < 2 • \(f>\ . 
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Proof: The proof is almost identical to the proof of Proposition 21, but instead 
eliminating cuts where the “innermost” conjunct is introduced. □ 

The crucial insight is that both for the V-quantifier and the A-connective, the 
projection to a subformula of the cut formula occurs in the left subproof, leading 
to new cut inferences in the right subproof Therefore, if all cut formulas are 
composed exclusively of some formulas Bi and the connectives V and A, all 
connectives can be eliminated in one step. 

Lemma 23. Let <fi be a proof of a sequent r h A with the last inference a cut. 
Let the cut formula be constructed from formulas B i, . . . B n by the connectives V 
and A only (resp. 3 and V ). Then we can replace that cut by a number of smaller 
cuts with cut formulas Bi. For the resulting proof (j)' we have \<f>'\ < 2 • \<f\. 

Proof: Combining the reductions for V and A described in Lemma 21 and Lemma 
22 we replace the A or V-introductions by cuts. For the resulting proof q b' we get 
\(j)'\ <2 - \(j>\. The 3 — V-case is handled symmetrically, with roles of the left and 
right subproofs reversed. □ 

This immediately gives us a double-exponential bound for cut elimination if 
all cut formulas are composed of V, A and atomic formulas. However, we can 
eliminate the V and A connectives and the remaining atomic cuts in one go, by 
combining the above lemmas with the technique to eliminate atomic cuts. We 
state the following theorem: 

Theorem 24. Let (j) be a proof of a sequent r \~ A with all cut formulas V — A 
(resp. 3—V). Then there is a cut-free proof (j) 1 of the same sequent with \<f>'\ < 2^L 

Proof: In Appendix. □ 

Remark. The result still holds, if we allow negation of atomic formulas in the 
cut formulas, as elimination of negation can easily be combined with the above 
cut elimination technique. 

The above technique can easily be generalized to arbitrary cut formulas, if we 
restrict the logical connectives in the cut formulas to V, A,3,V and -i, with 
negation only appearing in front of atomic formulas. If we alternatingly eliminate 
V — A-connectives and 3 — V-connectives we get a non-elementary upper bound 
for cut elimination, where the height of the tower of exponentials depends on 
the number of alternations of V — A and 3 — V blocks in the cut formulas. Again 
the short proofs 7 r„ of sequents S n perfectly exploit this, as the forall-implication 
structure of the cut formulas Ri corresponds to such alternations, i.e. the number 
of alternations in R., is i. 

Already the elimination of V — A cuts with elementary complexity has ap- 
plications. In [17] Baaz and Leitsch prove an exponential upper bound for cut 
elimination in a fragment of LK called QAdOAf. At the heart of the proof is 
a technique for eliminating V — A cuts similar to the one presented above. The 
rest of their proof relies on special properties of the fragment QAdOAf. 
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Abstract. We study the succinctness of monadic second-order logic and a vari- 
ety of monadic fixed point logics on trees. All these languages are known to have 
the same expressive power on trees, but some can express the same queries much 
more succinctly than others. For example, we show that, under some complexity 
theoretic assumption, monadic second-order logic is non-elementarily more suc- 
cinct than monadic least fixed point logic, which in turn is non-elementarily more 
succinct than monadic datalog. 

Succinctness of the languages is closely related to the combined and parameter- 
ized complexity of query evaluation for these languages. 

Keywords: Finite Model Theory, Monadic Second-Order Logic, Fixed Point 
Logics, /x-Calculus, Monadic Datalog, Tree-like structures. Succinctness 



1. Introduction 

A central topic in finite model theory has always been a comparison of the expres- 
sive power of different logics on finite relational structures. In particular, the expres- 
sive power of fragments of monadic second-order logic and various fixed-point log- 
ics has already been investigated in some of the earliest papers in finite model theory 
[Fag75,CH82]. One of the main motivations for such studies was an interest in the ex- 
pressive power of query languages for relational databases. 

In recent years, the focus in database theory has shifted from relational to semi- 
structured data and in particular data stored as XML-documents. A lot of current re- 
search in the database community is concerned with the design and implementation 
of XML query languages (see, for example, [FSW00,HP00,GK02] or the monograph 
[ABS99] for a general introduction into semi-structured data and XML). The languages 
studied in the present paper may be viewed as node-selecting query languages for XML. 
They all contain the core of the language XPath. which is an important building block of 
several major XML-related technologies. Recently, monadic datalog has been proposed 
as a node-selecting query language with a nice balance between expressive power and 
very good algorithmic properties [GK02,Koc03]. 

XML-documents are best modelled by trees, or more precisely, finite labelled or- 
dered unranked trees. It turns out that when studying node- selecting query languages for 

* Supported by a fellowship within the Postdoc-Programme of the German Academic Exchange 
Service (DAAD) 



M. Baaz and J.A. Makowsky (Eds.): CSL 2003, LNCS 2803, pp. 226^240, 2003. 
© Springer- Verlag Berlin Heidelberg 2003 




Comparing the Succinctness of Monadic Query Languages over Finite Trees 



227 



XML-documents, expressive power is not the central issue. Quite to the contrary: Neven 
and Schwentick [NS02] proposed to take the expressive power of monadic second- 
order logic (MSO) as a benchmark for node-selecting XML-query languages and, in 
some sense, suggested that such languages should at least have the expressive power of 
MSO. However, even languages with the same expressive power may have vastly dif- 
ferent complexities. For example, monadic datalog and MSO have the same expressive 
power over trees [GK02], However, monadic datalog queries can be evaluated in time 
linear both in the size of the datalog program and the size of the input tree [GK02], 
and thus the combined complexity of monadic datalog is in polynomial time, whereas 
the evaluation of MSO queries is PSPACE complete. The difference becomes even more 
obvious if we look at parameterized complexity: Unless PTIME / NP, there is no algo- 
rithm evaluating a monadic second-order query in time /(size of query)p(size of tree) 
for any elementary function / and polynomial p [FG03]. Similar statements hold for 
the complexity of the satisfiability problem for monadic datalog and MSO over trees. 
The reason for this different behaviour is that even though the languages have the same 
expressive power on trees, in MSO we can express queries much more succinctly. In- 
deed, there is no elementary translation from a given MSO-formula into an equivalent 
monadic datalog program. We also say that MSO is non-elementarily more succinct 
than monadic datalog. Just to illustrate the connection between succinctness and com- 
plexity, let us point out that if there was an elementary translation from MSO to monadic 
datalog, then there would be an algorithm evaluating a monadic second-order query in 
time /(size of query)p(size of tree) for an elementary function / and a polynomial p. 

In this paper, we study the succinctness (in the sense just described) of a variety of 
fixed point logics on finite trees. Our main results are the following: 

1. MSO is non-elementarily more succinct than monadic least fixed point logic MLFP 
( see Theorem 2 ). Unfortunately, we are only able to prove this result under the odd, 
but plausible complexity theoretic assumption that for some i 1, NP is not con- 
tamed in DTIME(?z log 1 > ^), where log M denotes the i times iterated logarithm. 

2. MLFP is non-elementarily more succinct than its 2-variable fragment MLFP 2 (see 
Corollary 3). 

3. MLFP 2 is exponentially more succinct than the full modal p-calculus, that is, the 
modal p-calculus with future and past modalities (see Theorem 3, Example 2, and 
Theorem 4). 

4. The full modal p-calculus is at most exponentially more succinct than stratified 
monadic datalog, and conversely, stratified monadic datalog is at most exponen- 
tially more succinct than the full modal p-calculus (see Theorem 7 and 8). Fur- 
thermore, stratified monadic datalog is at most exponentially more succinct than 
monadic datalog (see Theorem 6). 

The exact relationship between these three languages remains open. 

Of course we are a not the first to study the succinctness of logics with the same ex- 
pressive power. Most known results are about modal and temporal logics. The motiva- 
tion for these results has not come from database theory, but from automated verifica- 
tion and model-checking. The setting, however, is very similar. For example, Kamp’s 
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well know theorem states that first-order logic and linear time temporal logic have 
the same expressive power on strings [Kam68], but there is no elementary translation 
from first-order logic to linear time temporal logic on strings. Even closer to our re- 
sults, monadic second-order logic and the modal ^-calculus have the same expressive 
power on (ordered) trees, but again is well-known that there is no elementary trans- 
lation from the former to the latter. Both of these results can be proved by simple 
automata theoretic arguments. More refined results are known for various temporal 
logics [Wil99,AI00,AI01,EVW02], By and large, however, succinctness has received 
surprisingly little attention in the finite model theory community. Apart from automata 
theoretic arguments, almost no good techniques for proving lower bounds on formula 
sizes are known. A notable exception are Adler and Immerman’s [AI01] nice games for 
proving such lower bounds. Unfortunately, we found that these games (adapted to fixed 
point logic) were of little use in our context. So we mainly rely on automata theoretic 
arguments. An exception is the, complexity theoretically conditioned, result that MSO 
is non-elementarily more succinct than MLFP. To prove this result, we are building on 
a technique introduced in [FG03]. 

The paper is organised as follows: In Section 2 we fix the basic notations used 
throughout the paper. Section 3 concentrates on the translation from MSO to MLFP. 
In Section 4 we present our results concerning the two-variable fragment of MLFP and 
the full modal /i-calculus. In Section 5 we concentrate on monadic datalog, stratified 
monadic datalog, and their relations to finite automata and to MLFP. Finally, Section 6 
concludes the paper by pointing out several open questions. 

Due to space limitations, we had to defer detailed proofs of our results to the full 
version of this paper [GS03]. 

2. Preliminaries 

2.1. Basic Notations. Given a set £ we write £* to denote the set of all finite strings 
over £, and we use £ to denote the empty string. We use N to denote the set {0, 1,2,..} 
of natural numbers. We use lg to denote the logarithm with respect to base 2. With a 
function / that maps natural numbers to real numbers we associate the corresponding 
function from N to N defined by n i— > |"/(n)~|. For simplicity we often simply write 
f(n) instead of [ 

The function Tower : N — > N is inductively defined via Tower(0) := 1 and 
Tower{h+ 1) = 2 Towe '^ h \ for all h £ N. I.e., Tower(h) is a tower of 2s of height h. 

We say that a function / : N — > N has bound f(m) ^ Tower(o{h{m )) , for some 
function h : N — » N, if there is a function g £ o(h ) and a mo £ N such that for all 
m mo we have /(m) ^ Tower(g(m)) . Note that, in particular, every elementary 
function / has bound /(to) Tower(o(m)) . Indeed, for every elementary function / 
there is a h £ N such that, for all n £ N, /(n) is less than or equal to the tower of 2s of 
height h with an n on top. 

2.2. Structures. A signature t is a finite set of relation symbols and constant symbols. 
Each relation symbol R £ r has a fixed arity ar(R). A r-structure A consists of a set 
U A called the universe of A, an interpretation c A £ U A of each constant symbol c £ r. 
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and an interpretation f?- 4 C ( U A ) a ''^ R ) of each relation symbol R £ r. All structures 
considered in this paper are assumed to have a finite universe. 

The main focus of this paper lies on the class Trees of finite binary trees. Precisely, 
finite binary trees are particular structures over the signature 

t T rees '■= {Root, \ st Child, 2 nd Child, Has-No-V Child, Has-No-2 nd Child}, 

where Root, Has-No-l s ' Child, Has-No -2 nd Child are unary relation symbols and 
1 st Child, 2 nd Child are binary relation symbols. We define Trees to be the set of all 
TTVccs-structures T that satisfy the following conditions: 

1. U 1 C {1, 2}* and for every string si £ U T with i £ {1, 2} we also have s £ U T . 

2. Root T consists of the empty string s. 

3. 1 st Child T consists of the pairs (s, si), for all si £ U T . 

4. 2 " d Child T consists of the pairs (s, s2), for all s2 £ U T . 

5. Has-No-V Child T consists of all strings s £ U T with si ^ U T . 

6. Has-No-2 nd Child T consists of all strings s £ U T with s2 fL U T . 

For T £ Trees and t £ U T we write T t to denote the subtree of T with root l. 

A schema a is a set of unary relation symbols each of which is distinct from 
Has-No-l s 'Child, Has-No-2' ,d Child, Root. A er-labelled tree is a (Tjrees U (restructure 
consisting of some T £ Trees and additional interpretations P T C U 1 for all symbols 
P £ a. We sometimes write labelft ) to denote the set {P £ a : t £ P T } of labels at 
vertex t in T. 

We identify a string w = w o • • • w n -\ of length |u>| = n f 1 over an alphabet £ 
with a a- label led tree T w in the following way: We choose er to consist of a unary rela- 
tion symbol P a for each letter a £ £, we choose T w to be the (unique) element in Trees 
with universe U T = {e, 1, 11, .., I" -1 }, and we choose Pj := {1* : Wi = a}, 
for each a £ £. This corresponds to the conventional representation of strings by 
structures in the sense that (U J , Y’Child, (Pj ) a ^s) is isomorphic to the structure 
({0, . . ,n—l},Succ, (P“) ae j:) where Succ denotes the binary successor relation on 
{0, . . , n— 1} and P™ consists of all positions of w that carry the letter a. When reason- 
ing about strings in the context of first-order logic, we sometimes also need the linear 
ordering < on {0, . . , n— 1} (respectively, the transitive closure of the relation 1 st Child). 
In these cases we explicitly write FO(<) rather than FO to indicate that the linear or- 
dering is necessary. 

XML-documents are usually modelled as ordered unranked trees and not as binary 
trees. Here ordered refers to the fact that the order of the children of a vertex is given. 
However, a standard representation of ordered unranked trees as relational structures 
uses binary relations 1 st Child, Next-Sibling and unary relations Root, Leaf, Last-Sibling 
(for details, see [GK02]) and thus essentially represents ordered unranked trees as bi- 
nary trees. Therefore, all our results also apply to ordered unranked trees. 

2.3. Logics and Queries. We assume that the reader is familiar with first-order logic, 
for short: FO, and with monadic second-order logic, for short: MSO (cf., e.g., the text- 
books [EF99,Imm99]). We use FO(r) and MSO(r), respectively, to denote the class of 
all first-order formulas and monadic second-order formulas, respectively, of signature 
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r. We write <p(x i, . . , x/.,Xi, . . , Xf) to indicate that the free first-order variables of the 
formula ip are Xi, . . ,Xk and the free set variables are X\, . . , Xg. Sometimes we use x 
and X as abbreviations for sequences x\, . . ,Xk and X-\ , . . . Xf of variables. 

A formula p(x) of signature r defines the unary query which associates with every 
r-structure A the set of elements a £ U A such that A |= <p(a), i.e., A satisfies ip when 
interpreting the free occurrences of the variable x by the element a. A sentence ip of 
signature r (i.e., a formula that has no free variables) defines the Boolean query that 
associates the answer “yes” with all r-structures that satisfy <p and the answer “no” 
with all other r-structures. 

Apart from FO and MSO we will also consider monadic least fixed point logic 
MLFP which is the extension of first-order logic by unary least fixed point operators. 
We refer the reader to [EF99] for the definition of MLFP (denoted by FO(M-LFP) 
there). 

2.4. Formula Size and Succinctness. In a natural way, we view formulas as finite trees, 
where leaves correspond to the atoms of the formulas and inner vertices correspond to 
Boolean connectives, quantifiers, and fixed-point operators. We define the size ||<p|| of 
a formula <p to be the number of vertices of the tree that corresponds to p. 

Note that this measure of formula size is a uniform cost measure in the sense that it 
accounts just 1 cost unit for each variable and relation symbol appearing in a formula, no 
matter what its index is. An alternative is to define the size of a formula as the length of 
a binary encoding of the formula. Such a logarithmic cost measure is, for example, used 
in [FG03], Switching between a uniform and a logarithmic measure usually involves a 
logarithmic factor. 



Definition 1 (Succinctness). Let L-\ and be logics, let F be a class of functions 
from N to N, and let C be a class of structures. 

We say that L\ is F-succinct in L 2 on C if there is a function f £ F such that for 
every formula <p\ £ L\ there is a formula P 2 £ L 2 of size ||^ 2 || ^ /(||y>i||) which is 
equivalent to tpi on all structures in C. □ 

Intuitively, a logic L\ being F-succinct in a logic L 2 means that F gives an upper 
bound for the size of Fi-formulas needed to express all of L- 2 - This definition may seem 
slightly at odds with the common use of the term “succinctness” in statements such as 
“ L 2 is exponentially more succinct than L-\ ” meaning that there is some F 2 -formula 
that is not equivalent to any L-\ -formula of subexponential size. In our terminology, we 
would rephrase this last statement as “L\ is not 2°( n ' > -succinct in F 2 ” (here we interpret 
subexponential as 2°( n \ but of course this is not the issue). The reason for defining F- 
succinctness the way we did is that it makes the formal statements of our results much 
more convenient. We will continue to use statements such as “F 2 is exponentially more 
succinct than Lf in informal discussions. 



Example 1. MLFP is O (to) - succinct in MSO on the class of all finite structures, be- 
cause every formula \fi¥B x ^xp{x,X 1 y,Y)](z) is equivalent to MX (Xz V 3x~>Xx A 
<p(x,X,y,Y)). □ 
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3. From MSO to MLFP 

By the standard translation from MSO-logic to tree automata (cf., e.g., [Tho96]) one 
knows that every MSO-sentence <P can be translated into a nondeterministic tree au- 
tomaton with Tower{0(\ |#||)) states that accepts exactly those labelled trees that sat- 
isfy <I>. This leads to 

Theorem 1 (Folklore). MSO -sentences are Tower(0(m)) -succinct in MLFP on the 
class of all labelled trees. □ 

To show that we cannot do essentially better, i.e., that there is no translation from MSO 
to MLFP of size Tower(o(rrij) we need a complexity theoretic assumption that, how- 
ever, does not seem to be too far-fetched. Let SAT denote the NP-complete satisfia- 
bility problem for propositional formulas in conjunctive normal form. Until now, all 
known deterministic algorithms that solve SAT have worst-case complexity 2°^ (cf., 
[DGH+02]). Although not answering the P vs. NP question, the exposition of a deter- 
ministic algorithm for SAT with worst-case complexity 7 n lg " would be a surprising 
and unexpected breakthrough in the SAT-solving community. 

In the following, we write lg^ to denote the i times iterated logarithm, inductively 
defined by lg^(n) := lg(n) and lg^* + 1 ^(n) := lg(lg^(n)). Moreover, we we write 
lg* to denote the “inverse” of the Tower function, that is, the (unique) integer valued 
function with Tower(\g* (n)— 1) < n 7 7owr(lg*(n)). 

Theorem 2. Unless SAT is solvable by a deterministic algorithm that has, for every 
i £ N, time bound || 7 || lg ^ (where 7 is the input formula and n the number of 

propositional variables occurring in 7 ), MSO is not Tower(^o(m)^ -succinct in MLFP 
on the class of all finite strings. □ 

The overall proof idea is to assume that the function / specifies the size of the transla- 
tion from MSO to MLFP and to exhibit a SAT-solving algorithm which 

- constructs a string w that represents the SAT-instance 7 , 

- constructs an MSO-formula ( l>(z) of extremely small size that, when evaluated in 
w, specifies a canonical satisfying assignment for 7 (if 7 is satisfiable at all), 

- tests, for all MLFP-formulas 'T'(z) of size 7 /(||^||), whether \P specifies a satis- 
fying assignment for 7 . 

Before presenting the proof in detail we provide the necessary notations and lemmas: 

It is straightforward to see 

Lemma 1. There is an algorithm that, given an MLFP-formula T'( z ), a string w, and 
a position p in w, decides in time | xi? | 0 0 1 ^ 1 1 ) whetherw \= ’f'(p). □ 

Let us now concentrate on the construction of a string w that represents a SAT-instance 
7 and of an MSO-formula <P(z) that specifies a canonical satisfying assignment of 7 
(provided that 7 is satisfiable at all). Since we want <P to be extremely short, we can- 
not choose w to be the straightforward string-representation of 7 . Instead, we use the 
following, more complicated, representation of [FG03]: 

For all h ^ 1 let Eh := { 0, 1, <1>, </ 1>, . . , <h>, </h>}. The “tags” <i> and 
</i> represent single letters of the alphabet and are just chosen to improve readability. 
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For every n A 1 let I An) be the length of the binary representation of the number n— 1, 
i.e., L(0) = 0, L{ 1) = 1, and L(n) = Llg(7T. — 1) J + 1, for all n A 2. By bit(*,n) we 
denote the i - th bit of the binary representation of n, i.e., bit(i, n) is 1 if is odd, and 
bit(*, n) is 0 otherwise. 

We encode every number n £ N by a string iih{n) over the alphabet Eh, where 
Hh{ n ) is inductively defined as follows: /Xi(0) := <1></1>, and 

tn(n) := <1> bit(0, n— 1) bit(l, n— 1) • • • bit(L(n) — 1, n— 1) </l> , 

for n A 1. For h. A 2 we let /j,h{ 0) := <h></h> and 

^h(n) := <h></h>/i(,_i(0) bit(0, n— 1) ••• </h>/^_i (L(n) — 1) bit(L(n) — 1, n— l)</h> , 

for n A 1. Here empty spaces and line breaks are just used to improve readability. 

To encode a CNF-formula 7 by a string we use an alphabet E' h that extends Eh 
by the symbols +, — and a number of additional tags. Let i £ N and let Xi be a 
propositional variable. The literal Xi is encoded by the string 

^h(Xi) := <lit>/i?j(i) +</lit> , 

and the literal ->Xj is encoded by := <lit> Hh{i) — </li t> . 

A clause <5 := Ai V • • • V A r of literals is encoded by 

Hh(8) '■= <clause>/Xh(Ai) • • • /Xft(A r ) </clause> . 

A CNF-formula 7 := (5i A • • • A S m is encoded by the string 

Phil) : = <cnf > Hh(8i) ■ ■ ■ </ cnf > . 

We write CNF(n) to denote the class of all CNF-formulas the propositional variables of 
which are among A' (l , . . , . To provide the “infrastructure” for specifying a truth 

assignment, we use the string 

Hh{Xo, ■ .,X n -i) := <ass><val>/i; l (0) * </val> • • • 

<val>/ifc(n- 1) * </val></ass>. 

Remark 1. There is a 1-1-correspondence between assignments a : {AT, . . , A'„-i} — 
{true, false}, on the one hand, and sets P of positions of /^(ATo, . . , X n _i) that carry the 
letter *, on the other hand: Such a set P specihes the assignment a p that, for each i < n, 
maps the variable X t to the value true iff the ^-position directly after the substring Hh{i) 
in ^h{X 0 , . . , X n _i) belongs to P. Conversely, a given assignment a specifies the set 
P a consisting of exactly those ^-positions of ^ ih (Xq, . . , A n _i) that occur directly after 
a substring /ih{i) where a(Xi) = true. □ 

Finally, we encode a formula 7 £E CNF(n) by the string 

M/t(7A) := . . , X n — x) • 

Hh{ 7,*) is the string w that we will furtheron use as the representative of a SAT- 
instance 7. We use the following result of [FG03]: 
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Lemma 2 . 

(a) There is an algorithm that , given h £ N and 7 £ CNF{n), computes (a binary 
representation of) the string Phil, *) in time 0 (h- (lg h) • (lg n) 2 • (| I7I | +n)) (cf, 
[FG 03 , Lemma 9 ]). 

The string pLh{l,*) has length \ph{l,*)\ = 0 (h- (lg n) 2 • (||7|| + n)). 

(b) There is an algorithm that, given h £ N, computes (the binary representation of) a 
FO{<)-formula ipu{Z) in time 0 (h • lg/i), such that for all n ^ Tower{h), for all 
7 £ CNF{n), and for all sets P of -k-positions in the string ph{ 7; *) we have 

Fh{l,*) \= Th(P) iff cl f is a satisfying assignment for 7 

( cf, [FG 03 , Lemma 10 ]). The formula <Ph(Z) has size 1 ||</?/ l (Z)|| = Off). □ 

Given a CNF(n) -formula 7 and its representative p,h( 7, ★), we now specify a canonical 
satisfying assignment of 7, provided that 7 is satisfiable at all. As observed in Remark 1, 
every assignment a : {Xq, ■ ■ , X n _i} — ■> {true, false} corresponds to a set P a of 
positions in ^ ( 7 ,*) that carry the letter ★. P a , again, can be identified with the 0-1- 
string of length l/Xft. (7, *) | that carries the letter 1 exactly at those positions that belong 
to P“. Now, the lexicographic ordering of these strings gives us a linear ordering on the 
set of all assignments a : {Xq, . . , X„_i} — » {true, false}. As the canonical satisfying 
assignment of 7 we choose the lexicographically smallest satisfying assignment. 

Lemma 3 . There is an algorithm that, given h £ N, computes (the binary representa- 
tion of) an MSO -formula < L > h{z) in time 0 (h-\gti), such that for all n ^ Towerfh), for 
all 7 £ CNF(n), and for all positions p of Phili *) that carry the letter *, we have 

Phi'll*) {= d>h{p) iff in the lexicographically smallest satisfying assignment 
for 7, the propositional variable corresponding to posi- 
tion p is assigned the value true. 

The formula < Lh{z) has size \ \<L>h 1 1 = Off). □ 

Finally, we are ready for the Proof of Theorem 2: 

Proof of Theorem 2 . 

Let / : N — » N be a function such that there is, for every MSO-formula '/>(:;), a MLFP- 
formula 'f'(z) of size | \P\ \ ^ /(||^||) which defines the same query as <L> on the class of 
all finite strings (recall that such an / does indeed exist, because MSO and MLFP have 
the same expressive power over the class of finite strings). 

Consider the algorithm displayed in Figure 1, which decides if the input formula 7 
is satisfiable. 

The correctness of this algorithm directly follows from Lemma 3 and from the fact 
that at least one of the formulas L'{z) of size ^ /(||^ft||.) defines the same query as 

Mz)- 

It remains to determine the worst-case running time of the algorithm. Let 7 be an 
input CNF-formula for the algorithm, let n be the number of propositional variables of 
7, and let h := lg*(n). 

1 In [FG03], an additional factor lg h occurs because there a logarithmic cost measure is used 

for the formula size, whereas here we use a uniform measure (cf., Section 2.4). 
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Input: a SAT-instance 7 in CNF 

1 . Count the number n of propositional variables occurring in 7 , and modify 7 in such a way 
that only the propositional variables Xq , . . , A' n -i occur in it. 

2. Compute h := lg*(n), i.e., choose h £ N such that Tower(h-l) < n ^ Tower(h). 

3. Construct the string phi'y, *) that represents 7 (see Lemma 2 (a)). 

4. Construct an MSO-formula $h{z) that has the following property: 

Whenever p is a position in ph ( 7 , *) that carries the letter *, we have 

p,h( 7 ,*) |= &h(p) iff in the lexicographically smallest satisfying assignment 
for 7 , the propositional variable corresponding to posi- 
tion p is assigned the value true 

(cf., Lemma 3). 

5. For all MLFP-formulas 'P(z) of size ||$ r || ^ /(||4>/,||) do: 

(a) Initialise the assignment a := 0. 

(b) For all positions p in ph ( 7 , *) that carry the letter * do 

check whether ph( 7 ,*) | = 'T(p)\ 

if so, then insert the propositional variable corresponding to p into a. 

(c) Check whether a is a satisfying assignment for 7 ; 

if so, then STOP with output “7 is satisfiable via assignment a”. 

6 . STOP with output “7 is not satisfiable”. 



Fig. 1. A SAT-solving algorithm. 



The steps 1-4 of the algorithm will be performed within a number of steps polyno- 
mial in || 7 ||, and the MSO-formula^/, (z) produced in step 4 will have size | \$h\ \ ^ c-h, 
for a suitable constant c £ N (cf.. Lemma 2 (a) and Lemma 3). 

The loop in step 5 will be performed for 2 Cl T(ll^fcU)- lg (/(||^>*.||)) times, for a suitable 
constant ci £ N. To see this, note that formulas of length ^ /(||<?/ l ||) use at most 
/(H^/,11) different first-order variables and at most /(||^/,||) different set variables. 
I.e., these formulas can be viewed as strings of length /(||^/, ||) over an alphabet of 
size C 2 T 2 • /(||^/i||), for a suitable constant C 2 £ N. Therefore, the number of such 
formulas is < (c 2 + 2 -f(\\^ h \\)y^ h W'> < 

Each performance of the loop in step 5 will take a number of steps polynomial in 

lw.(7,*)l° (/{|l * hll)) < (c 3 • L • (lgn) 2 • | M l) C4 '^ (c ' ?l) > 

for suitable constants 03,04 £ N (cf., Lemma 1 and Lemma 2(a)). Altogether, for 
suitable constants c, d £ N, the algorithm will perform the steps 1-6 within 

nnd-H c -h)Mf(c-h)) 



steps. 

Now let us suppose that f has bound f(m) ^ Tower (o(m )) . From Lemma 4 be- 
low we then obtain that our SAT-solving algorithm has, for every 1 £ N, time bound 
|| 7 || lg< ) («). This finally completes the proof of Theorem 2. ■ 
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Lemma 4. Let f : N — * N be a function with bound f(m ) ^ Tower (o(m )), and let 
c,d £ N. For every i £ N there is an ?r 0 £ N such that for all n ^ no we have 

d- f{c-\g*(n)) -lg(/(c-lg*(n))) ^ lg (l) (n). n 



4. The Two- Variable Fragment of MLFP and the Full Modal ^-Calculus 

Defining the 2-variable fixed-point logics requires some care: MLFP 2 is the fragment of 
MLFP consisting of all formulas with just 2 individual variables and no parameters in 
fixed point operators, i.e., for all subformulas of the form [LFP. /: _ y^] (y), x is the only 
free first-order variable of ip. This is the monadic fragment of the standard 2-variable 
least fixed-point logic logic (cf. [G099]). Without the restriction on free variables in 
fixed-point operators, we obtain full MLFP even with just two individual variables (we 
prove this in the full version of this paper [GS03]). 

We first note that MLFP 2 , and actually FO 2 , the two variable fragment of first- 
order logic, is doubly exponentially more succinct than nondeterministic automata on 
the class of all finite strings: 

Example 2. Let o := { L. R. I\ , . . , If } and 

n 

p n :=\/x(Lx^> 3y(RyA /\(P Z x <-> Ppy ))^ . 

i= 1 



We claim that every nondeterministic finite automaton accepting precisely those strings 
over alphabet 2 CT that satisfy ip has at least 2 2 states. To see this, for every S C 
2l 1 >- ■ we define strings X n (S) and Y n (S) such that 



_ l x ^=U x ^s) and i?W(5) = w r„(5) 

- For all s £ S there exists an x £ U Xrl ^ and an y £ such that 

s = {i | x £ p Xn( - s) } = {i\y £ p Xn{ - S) y 



Let W n (S,T) := X n (S)Y n (T) be the concatenation of X n (S) and Y n (T). Then 
W n (S,T) |= ip S C T. Clearly, a nondeterministic finite automaton accept- 
ing precisely those strings W n (S, T) with S CT needs at least 2 2 states. □ 



Let us return to binary trees now. Following Vardi [Var98], we define the full modal p- 
calculus FL /( on binary trees as follows: For each schema a, an FL M -formula of schema 
<7 is either: 



- true, false, P, or -<P, where P £ crU{Root, Has-No-V Child, Has-No-2' ,d Child}; 

- d>i A d >2 or 0-| V <1>2, where ( I> \ and '/Q are FL M -formulas of schema o; 

- X, where X is a propositional variable; 

- (R)$ or [R] <P, where R £ { I st Child, 2 nd Child , l st Child~ l , 2 nd Child~ 1 } and <P 
is an FL ; ,-formula of schema a; 

- pX.d> or i/X .<!>, where X is a propositional variable and ( P is an FL ; , -formula of 
schema a. 



The semantics of FL M is defined in the usual way interpreting the binary relations over 
trees. The following is starightforward: 
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Proposition 1. FL ; , is 0(m) -succinct in MLFP 2 . 

Our next result is that there also is a reverse translation from MLFP 2 to 1 L /( which only 
incurs an exponential blow-up in size: 

Theorem 3. MLFP 2 is 2 poly ^ m ^ -succinct in FL^ on the class of labelled trees. □ 

Theorem 4 (Yardi [Var98]). For every formula <P of the full modal /i- calculus FL M 
there is a nondeterministic tree automaton of size 2 poly ^^' 1 that accepts exactly those 
labelled trees in which <P holds at the root. □ 

As a matter of fact, Vardi [Var98] proved a stronger version of this theorem for infinite 
trees and parity tree automata. But on finite trees, a parity acceptance condition can 
always be replaced by a normal acceptance for finite tree automata. 

The Theorems 3 and 4 directly imply 

Corollary 1. For every MLFP 2 -formula p(x) there is a nondeterministic tree automa- 
ton of size 2 2P <llvll) that accepts exactly those labelled trees in which ip holds at the 
root. □ 

5 . Monadic Datalog and Stratified Monadic Datalog 

We assume that the reader is familiar with datalog, which may be viewed as logic 
programming without function symbols (cf., e.g., the textbook [AHV95]). A datalog 
program is monadic if all its IDB-predicates (i.e., its intensional predicates that appear 
in the head of some rule of the program) are unary. In this paper we restrict attention to 
monadic datalog programs that are interpreted over labelled trees. A monadic datalog 
program of schema a may use as EDB-predicates (i.e., extensional predicates which 
are determined by the structure the program is interpreted over) the predicates in tt,- ccs , 
the predicates in a, and a predicate —<P for every F G u which is interpreted as the 
complement of P. We use IDB('P) to denote the set of IDB-predicates of V , and we 
write MonDatalog to denote the class of all monadic datalog programs. 

More formally, a monadic datalog program V of schema cr is a finite set of rules 
of the form X{x ) <— 7 (x,y), where 7 is a conjunction of atomic formulas over the 
signature Tr re es U cr U P : P £ a} U IDB('P). Every program has a distinguished 
goal IDB-predicate that determines the query defined by the program. 

We define the size \ \V\ \ of V in the same way as we defined the size of formulas. 

In [GK02] it was shown that MonDatalog can define the same unary queries on the 
class of labelled trees as monadic second-order logic. In the remainder of this section 
we will compare the succinctness of MonDatalog, S-MonDatalog, FL /( , MLFP, and a 
particular' kind of tree automaton. 

5.1. From MonDatalog to Finite Automata. Several mechanisms have been proposed 
in the literature for specifying unary queries by finite automata operating on labelled 
trees (cf., [NS02]). One such mechanism, introduced in [Nev99] and further investi- 
gated in [FGK03,Koc03], is the selecting tree automaton : 

Definition 2 (STA). Let cr be a schema. A selecting cr-tree automaton (a-STA, for 
short) is a tuple 21 = (Q, 2 CT , F, S, S), where S C Q is the set of selecting states and 
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(Q,2 a ,F,S) is a conventional nondeterministic bottom-up tree automaton (cf, e.g., 
[Tho96]) with finite state space Q, input alphabet 2 <T , accepting states F C Q, and 
transition function 

5 : 2 a U ({1} x Q x 2 a ) U ({2} x Q x 2 CT ) U (Q x Q x 2 a ) -> 2 Q . 

A run of 21 on a cr-labelled tree T is a mapping p : U T — + Q that has the fol- 
lowing property, for all vertices t,t\,t 2 G U T : if t has no children then p(t) = 
8{label{t)); ifl st Child(t,ti)AHas-No-2 nd Child(t) then p[t ) G S(l, p(t-i), label(t)); if 
2 nd Child(t,tf) AHas-No-l s, Child(t) then p(t) G 8(2,p(t2),label(t));ifl s ‘Child(t,ti) 
A 2 nd Child(t, t 2 ) then p(t) € S(p(ti), p{tf), labelft)). 

A run p of2i on T is said to be accepting if it maps the root ofT to a state in F. The 
unary query defined by 21 is the query which maps every a -labelled tree T to the set of 
those vertices t G U T that satisfy the following condition: p(t) G S for every accepting 
run p of 21 on T. □ 

It was shown in [FGK03,Nev99] that STAs can define exactly those unary queries on 
the class of labelled trees that are definable in monadic-second order logic. 

Theorem 5 ([FGK03,GK02]). MonDatalog is 2° <m> -succinct in STAs on the class of 
labelled trees. □ 

It is not hard to show that this result is asymptotically optimal, that is, that MonDatalog 
is not 2°( m ) -succinct in STAs on the class of labelled trees (see [GS03] for details). 

5.2. From S-MonDatalog to MonDatalog.In this section we show that S-MonDatalog- 
programs can be translated into MonDatalog-programs of at most exponential size. It 
remains open if the exponential size is indeed necessary or if, on the contrary, for every 
S-MonDatalog-program V there exists an equivalent MonDatalog-program V' of size 
polynomial in ||'P||. 

Lemma 5. For every a-STA 21 = (Q. 2" 1 , F. 8, S) there is a MonDatalog -program V of 
size o(iQi 3 -m+i o\ ■ |2 CT |) that defines the complement of the query defined by 21 on 
the class of all cr-labelled trees. □ 

Using Theorem 5 and Lemma 5 one easily obtains 

Proposition 2. For every MonDatalog-program V there is a MonDatalog -program V' 
of size that defines the complement of the query defined by V on the class of 

labelled trees. □ 

Using the above proposition, it is not difficult to prove 

Theorem 6. S-MonDatalog is 2°^ -succinct in MonDatalog on the class of labelled 
trees. □ 

5.3. S-MonDatalog vs FL ; ,. From Theorem 4 and Lemma 5 one directly obtains 

Theorem 7. FL M is 2 poly ( m ^ -succinct in S-MonDatalog on the class of labelled trees. 

□ 



Conversely, it is not hard to show the following 
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Theorem 8. S-MonDatalog is 2 0<rn ' l “’ rn ) -succinct in FL ; , on the class of labelled 
trees. □ 

It remains open whether the above bounds are optimal. 

5.4. From MLFP to S-MonDatalog. Similarly to Theorem 1 one easily obtains 

Theorem 9 (Folklore). MLFP -sentences are Tower(0(m)^ -succinct in S-MonData- 
log on the class of labelled trees. □ 

The aim of this section is to show that there are no essentially smaller translations from 
MLFP to S-MonDatalog. We will use the following well-known observation: 

Propositions (Folklore). There is no function / : N — * N with bound f(m ) ^ 
Tower(o(rri)) such that for every FO (<)-sentence p there is a nondeterministic finite 
automaton 21 with at most /(| |<£>| |) states that accepts exactly those strings that satisfy 
ip. □ 

Using Proposition 3 and the results of the Sections 5.1 and 5.2, one obtains the follow- 
ing: 

Theorem 10. There is no function f : N —> N with bound f(m) ^ 7bwr(o(?n)) such 
that for every FO (<)-sentence ip there is a S-MonDatalog-prograw V of size ||'P|| ^ 
/(||(/?||) and a designated goal predicate X £ IDB(V ) such that (V,X) defines the 
same Boolean query as p on the class of all finite strings. □ 

Since FO(<) is included in MLFP, the above theorem directly implies the following: 

Corollary 2. MLFP is not Tower(o(m)) -succinct in S-MonDatalog on the class of all 
finite strings. □ 

It remains open if this result remains valid when replacing MLFP with MLFP 2 . Note, 
however, that for the proof of Proposition 3 a small number k of first-order variables 
suffices. I.e., Proposition 3 remains valid when replacing FO(<) with FO fe (<), and 
Corollary 2 remains valid when replacing MLFP with MLFP fe . 

Together with Corollary 1 and Lemma 5, the above Corollary 2 implies 

Corollary 3. MLFP is not Tower(o(m)) -succinct in MLFP 2 on the class of all finite 
strings. □ 

6. Conclusion 

We studied the succinctness of a number of fixed point logics on trees. We believe that 
the analysis of succinctness, which may be viewed as a refined, “quantitative” analysis 
of expressive power, is a very interesting topic that deserves much more attention. 

Even though we were able to get a good overall picture of the succinctness of 
monadic fixed point logics on trees, a number of questions remain open. Let us just 
mention a few of them: 

- The exact relationship between monadic datalog, stratified monadic datalog, and 
the full modal /(-calculus remains unclear. In particular: Is the class of all queries 
whose complements can be defined by monadic datalog programs polynomially 
succinct in monadic datalog, or is there an exponential lower bound? (Recall that 
in Proposition 2 we prove an exponential upper bound.) 
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- Our proof that MSO is not Tower(o(m )) -succinct in MLFP relies on a complexity 
theoretic assumption. Is it possible to prove this result without such an assumption? 

- We have only considered the 2- variable fragment of MLFP here. What about the 
fc-variable fragments, for k f 3? Do they form a strict hierarchy with respect to 
succinctness? 
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Abstract. Constructive dimension and constructive strong dimension 
are effectivizations of the Hausdorff and packing dimensions, respectively. 
Each infinite binary sequence A is assigned a dimension dim(A) £ [0, 1] 
and a strong dimension Dim(A) £ [0, 1]. 

Let DIM“ and DIM^ r be the classes of all sequences of dimension a and 
of strong dimension a, respectively. We show that DIM 0 is properly 17°, 
and that for all A°-computable a £ (0, 1], DIM“ is properly 77°. 

To classify the strong dimension classes, we use a more powerful effective 
Borel hierarchy where a co-enumerable predicate is used rather than 
a enumerable predicate in the definition of the level. For all /in- 
computable a £ [0, 1), we show that DIM“ tr is properly in the 77° level 
of this hierarchy. We show that DIMg tr is properly in the 77° level of this 
hierarchy. 

We also prove that the class of Schnorr random sequences and the class 
of computably random sequences are properly 77°. 



1 Introduction 

Hausdorff dimension - the most extensively studied fractal dimension - has re- 
cently been effectivized at several levels of complexity, yielding applications to 
a variety of topics in theoretical computer science, including data compression, 
polynomial-time degrees, approximate optimization, feasible prediction, circuit- 
size complexity, Kolmogorov complexity, and randomness [14,15,3,1,8,5,7,17]. 
The most fundamental of these effectivizations is constructive dimension, which 
is closely related to Kolmogorov complexity and algorithmic randomness. For 
every subset X of C, the Cantor space of all infinite binary sequences, a con- 
structive dimension cdim(A’) £ [0, 1] is assigned. Informally, this dimension is 
determined by the maximum rate of growth that a lower semicomputable mar- 
tingale can achieve on all sequences in X . 

* This research was supported in part by National Science Foundation Grant 9988483. 
** Supported by the Austrian Research Fund (Lise Meitner grant M699-N05). Part 
of this author’s research was done while visiting the second author at Caltech in 
January 2002. 
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Just as Martin-Lof [16] used constructive measure to define the randomness 
of individual sequences, Lutz [15] used constructive dimension to define the di- 
mensions of individual sequences. Each sequence A £ C is assigned a dimension 
dim(A) £ [0, 1] by dim(A) = cdim({A}). Every Martin-Lof random sequence has 
dimension 1, but there are nonrandom sequences with dimension 1. For every 
real number a £ [0, 1], there is a sequence with dimension a. 

It is useful to understand the arithmetical complexity of a class of sequences. 
For example, knowing that RAND, the class of Martin-Lof random sequences, 
is a A^-class allows the application of Kreisel’s Basis Lemma [12,18] to give a 
short proof [25] that 

RAND (1.1) 



For any a £ [0, 1], let 



DIM“ = {A £ C | dim (A) = a}. 

Lutz [15] showed that 

DIM a nd^/0 (1.2) 

for any Z\°-computable a £ [0, 1]. As these dimension classes do not appear to 
be 77°, Lutz was unable to apply the Basis Lemma to them, so he used different 
techniques to prove (1.2). 

We investigate the complexities of these dimension classes in terms of the 
arithmetical hierarchy of subsets of C . We show that DIM 0 is properly 77°, and 
for all /^-computable a £ (0, 1] we show that DIM“ is properly 77°. There- 
fore, the proof for (1.1) using Kreisel’s Basis Lemma cannot directly be used to 
establish (1.2). (See however the comments made after Corollary 4.10.) 

More recently, packing dimension, another important fractal dimension, has 
also been effectivized by Atlrreya, Hitchcock, Lutz, and Mayordomo [2]. At the 
constructive level, this is used in an analogous way to define the strong dimension 
Dim(A) £ [0, 1] for every sequence A. For any a £ [0, 1], let 

DIM“ tr = {A £ C | Dim(A) = a}. 

To classify these strong dimension classes, we use introduce a more powerful 
effective Borel hierarchy where a co-enumerable predicate is used rather than 
a enumerable predicate in the definition of the level. We show that DIMg tr 
is properly in the 77° level of this stronger hierarchy. For all A [[-computable 
a £ [0, 1), we show that DIM“ tr is properly in the 77° level of this hierarchy. 

Our techniques for classifying the dimension and strong dimension classes 
include Baire category, Wadge reductions, and Kolmogorov complexity. We also 
classify some effective randomness classes. 

Section 2 gives an overview of the randomness and dimension notions used 
in this paper. In Section 3 we introduce the stronger effective Borel hierarchy 
that we use for the strong dimension classes. Section 4 presents the classification 
of DIM“ and DIM“ r . 
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2 Background on Randomness and Dimension 

This section provides an overview of the notions of randomness and dimension 
used in this paper. We write {0,1}* for the set of all finite binary strings and 
C for the Cantor space of all infinite binary sequences. In the standard way, a 
sequence A £ C can be identified with the subset of {0, 1}* or N for which it 
is the characteristic sequence, or with a real number in the unit interval. The 
length of a string w € {0,1}* is |iu|. The string consisting of the first n bits of 
x € {0, 1}* U C is denoted by x f n. We write w O x if w is a prefix of A. 



2.1 Martin-Lof Randomness 

Martin-Lof [16] introduced the notion of a constructive null set. A set is con- 
structively null if it can be covered by a uniform sequence of c.e. open sets that 
are shrinking in size. That is, A C C is constructive null if A C f] i W i , where 
{Wi}igN is uniformly c.e. such that p{Ui) < 2~ l . The sequence {W,:}ieN is called 
a Martin-Lof test. An individual sequence A € C is Martin-Lof random if {A} 
is not constructively null. The Martin-Lof random sequences play an important 
role in algorithmic information theory, see e.g. Li and Vitanyi [13]. 

Schnorr [20] , following Ville [26] , characterized constructive null sets in terms 
of martingales. A function d : {0, 1}* — > [0, oo) is a martingale if for every 
w € {0,1}*, d satisfies the averaging condition 

2 d(w) = d(w0) + d(wl), 

and d is a supermartingale if it satisfies 

2 d(w) > d(wO) + d(w 1). 

The success set of d is 



S°°[d] 



| AeC 



lim sup d(A f n) 

n— >oo 



= OO 



i.e., it is the set of all sequences on which d has unbounded value. We say that 
d succeeds on a class A C C if A C S°° [d] . 

Ville [26] proved that a set ACC has Lebesgue measure 0 if and only 
if there is a martingale d that succeeds on A. Schnorr [20] showed that A is 
constructively null if and only if d can be chosen to be lower semicomputable, 
that is, if d can be computably approximated from below. We call such a d 
constructive. 

Martin-Lof [16] proved that there is a universal constructive null set. That 
is, he proved that there is a Martin-Lof test {£4}?: such that for every other test 
{Vi} it holds that f] 4 V* C P| ; U,. By Schnorr’s analysis this implies that there 
is also a universal constructive supermartingale d. That is, for any constructive 
supermartingale d! there is a c > 0 such that d(w) > cd'(w) for all w € {0, 1}*. 
We will use this universal supermartingale in section 4. We denote the comple- 
ment of S°° [d] by RAND, so that RAND consists of all the Martin-Lof random 
sequences. 
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2.2 Schnorr Randomness 



Schnorr [20] criticized the notion of constructive null for an actual lack of con- 
structiveness, and introduced the more constructive notion of a Schnorr null set, 
which is defined by requiring that the measure of the levels Hi in a Martin-Lof 
test be computably approximable to within any given precision. It is easy to see 
that this is equivalent to the following: A is Schnorr null if A C H U,, where 
{Z4;},; e p : j is uniformly c.e. such that pfUf) = 2~ l . The sequence is called 

a Schnorr test. 

Following Schnorr [20], we call an unbounded nondecreasing function h : 
{0, 1}* —> {0, 1}* an order. (N.B. An “Ordnungsfunktion” in Schnorr’s terminol- 
ogy is always computable, whereas we prefer to leave the complexity of orders 
unspecified in general.) For any order h and martingale d, we define the order h 
success set of d as 



S h [d] 



|ag c 



lim sup 

n— >oo 



d(A \ n ) 
h(n) 




Schnorr pointed out that the rate of success of a constructive martingale d can 
be so slow that it cannot be computably detected. Thus rather than working 
with constructive null sets of the form S* 00 ^] with d constructive, he worked 
with null sets of the form S h [d\, where both d and h are computable. He proved 
that a set A is Schnorr null if and only if it is included in a null set of the form 
S h [d ], with d and h computable. 

A sequence A G C is Schnorr random if {A} is not Schnorr null. This is re- 
lated the notion of computable randomness. A sequence A is computably random 
if for any computable martingale d, A qL S°° [d] . 

We write RANDs c hnorr for the class of all Schnorr random sequences and 
RAND comp for the class of all computably random sequences. By definition we 
have that 

RAND C RAND comp C RANDg chnorr . 

The first inclusion was proved strict by Schnorr [20], and the second inclusion 
was proved strict by Wang [27]. 



2.3 Constructive Dimension 

Hausdorff [6] introduced the concept of null covers that “succeed exponentially 
fast” to define what is now commonly called Hausdorff dimension, the most 
widely used dimension in fractal geometry. Basically, this notion allows one to 
discern structure in classes of measure zero, and to calibrate them. As for con- 
structive measure, already Schnorr drew special attention to null sets of “expo- 
nential order”, although he did not make an explicit connection to Hausdorff 
dimension. 

Lutz [14,15] gave a characterization of Hausdorff dimension in terms of gales, 
which are a generalization of martingales. Let s G [0, oo). An s-gale is a function 
d : {0, 1}* — )• [0, oo) that satisfies the averaging condition 

2 s d{w) = d(wO) + d(wl) 



(2.1) 
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for every w £ {0, 1}*. Similarly, d is an s-supergale if (2.1) holds with > instead 
of equality. The success set S°° [d] is defined exactly as was done for martingales 
above. Lutz showed that for any class A C C, the Hausdorff dimension of A is 



dimn(Al) = inf 



there exists an s-gale 1 
d for which A C S°° [d] J ' 



(2.2) 



Lutz [15] effectivized this characterization to define the constructive dimensions 
of sets and sequences. An s-(super)gale is called constructive if it is lower semi- 
computable. The constructive dimension of a class A C C is 



,. ... ■ r f there exists a constructive s-gale 

cdim(A)=mf js d for wbicb A c S°°{dJ 

and the constructive dimension of an individual sequence A £ C is 



(2.3) 



dim(A) = cdim({A}). 

(Supergales can be equivalently used in place of gales in both (2.2) and (2.3) 
[14,9,4].) 

Constructive dimension has some remarkable properties. For example, Lutz 
[15] showed that for any class A , 

cdim(A) = sup dim(A). (2.4) 

AgA 

Also, Mayordomo [17] established a strong connection with Kolmogorov com- 
plexity. for any A £ C, 



dim(A) = liminf — — (2.5) 

n—¥ oo n 

where I\ (A [ n) is the size of the smallest program that causes a fixed universal 
self-delimiting Turing machine to output the first n bits of A. (For comments 
on the relation of this result to earlier results, see the report [23] by Staiger and 
section 6 of [15]. For more details on Kolmogorov complexity, we refer to [13].) 

One can also characterize constructive dimension using the Sclmorr null sets 
(see Section 2.2) of exponential order. The following proposition was observed 
by several authors, including those of [1,24]. 

Proposition 2.1. Let d be the universal constructive supermartingale. For any 

ACC, 

cdim(A) = inf{s € Q : A C S^i-ojn [d] )}• 



2.4 Constructive Strong Dimension 

More recently, Atlrreya, Hitchcock, Lutz, and Mayordomo [2] also characterized 
packing dimension , another important fractal dimension, in terms of gales. For 
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this, the notion of strong success of an s-gale d was introduced. The strong success 
set of d is 



SZ{d] = {acC 



liminf d{A \ n) = oo 

n—> oo 



Analogously to what was done for Hausdorff dimension, packing dimension can 
be characterized using strong success sets of gales. Effectivizing this in the same 
way leads to the definition of the constructive strong dimension of a class ACC 
as 

there exists a constructive s-gale 
d for which A C S^ r [d] 



cDim(A) = inf < s 



The constructive strong dimension of a sequence A C C is 



Dim(A) = cDim({A}). 

A pointwise stability property analogous to (2.4) also holds for strong dimension, 
as well as a Kolmogorov complexity characterization [2] : 

Dim(A) = limsup — — ^ (2-6) 

n—> oo ^ 



for any A C C . 



3 Borel Hierarchies 

We use 17° and 77° to denote the levels of the Borel hierarchy for subsets 
of Cantor space. The levels of the arithmetical hierarchy (the corresponding 
effective hierarchy) are denoted by 27° and 77°. 

We will also make use of the following more general hierarchy definition. 

Definition. Let V be a class of predicates, let n > 1, and let ACC. 

— As 27° [P] if for some predicate PeP, 

Ac A (3fc„)(Vfc„_i) • • • (Qki)P(k n , . . . , fc 2 , A \ ki), 

where Q = 3 if n is odd and Q = V if n is even. 

— As 77° [V] if for some predicate P CV, 

Ac A 4=> (Vk n )(3k n - 1 )---(Qk 1 )P(k„,...,k 2 ,Afk 1 ), 
where Q = V if n is odd and Q = 3 if n is even. 

If we take V to be Z\° (decidable predicates), then the above definition is 
equivalent to the standard arithmetical hierarchy; that is, 

27° = 27°[A°] 



and 



77° = 77°[A°] 
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hold for all n. Also, if ALL is the class of all predicates, then we obtain the 
classical Borel hierarchy: 

Zn = [ALL] 

and 

17° = 17° [ALL], 

In this paper, we will also be interested in the cases where V is 77° (enumer- 
able predicates) or 17° (co-enumerable predicates). In some cases, the classes in 
the generalized hierarchy using these sets of predicates are no different that the 
standard arithmetical hierarchy classes. If n is odd, then 17° = 77° [77°] as the 
existential quantifier in the 77° predicate can be absorbed into the last quantifier 
in the definition of 77°[Z\°] = 77°. Analogously, 17° = 17° [17°] for odd n, and for 
even n we have 77° = 77° [17°] and 17° = 17° [77°]. On the other hand, using the 
complementary set of predicates defines an effective hierarchy that is distinct 
from and interleaved with the arithmetical hierarchy. 

Proposition 3.1. 1. If n is odd, then 

Z° n C 77° [17°] C 77° +1 

and 

K C 17° [77°] C 17° +1 . 

2. If n is even, then 

77° C 77° [77°] C 77° +1 

and 

17° C 17° [17°] C 17° +1 . 

Intuitively, the classes 77°[17°], 17°[77°], 77°[77°], 17° [17°],... are slightly 
more powerful than their respective counterparts in the arithmetical hierarchy 
because they use one additional quantifier that is limited to the predicate. We 
now give a simple example of a class that is best classified in this hierarchy: the 
class of all 1-generic sequences is 17°[17°] but not 17°. 

Example 3.2. Recall that a sequence X G C is 1-generic (see e.g. Jockusch [10]) 
if 

(Ve)(3cr c X)[{eV(e) 4 V (Vr □ <r)[{eV(e) t] ] 

From this definition it is immediate that the class Q = {X \ X is 1-generic} is in 
17° [17°]. To show that Q is not 17°, suppose that it is. Then there is a computable 
predicate R such that 

X e Q 4=> (V?r)(3?n) [R(n, X [ to)]. 

As Q is dense, we can now easily construct a computable element of it by a 
computable finite extension argument, which gives a contradiction. (Given a at 
stage n, search for extension er' □ a such that R(n,a'). Such extension will be 
found by density. Take this extension and proceed to stage n + 1.) 
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Staiger has pointed out to us that the class 77° [77°] already occured under a 
different guise in his paper [22], where it was called fp, and several presentations 
were proven to be equivalent to it. The following definitions are from [21]. For 
any set W of initial segments define 

lim W= {A G C | (Vcr C A) a G W} 

W' 7 = {A G C | (V°° o' C A)a G W}. 

Staiger proved that the classes in 77°[77°] are those of the form lim IT, for W G 
77°, and the classes in 77°[77°] are those of the form W a , for W G 77°. 



4 Classification of DIM“ and DIM“ r 



In this section we investigate the arithmetical complexity of the following di- 
mension and strong dimension classes. 



DEVT = {A G C 
DIM-“ = {A G C 
DIM-“ = {A G C 
DIM“ tr = {A G C 
DIM|“ = {A G C 
DIM|“ = {AeC 



dim(A) = a} 
dim(A) < a } 
dim(A) > a} 
Dim(A) = a} 
Dim(A) < a} 
Dim(A) > a} 



Let a G [0, 1] be Z\°-computable. For any such a, it is well known that there 
is a computable function a : N — > Q such that lim d(n) = a. Using (2.5), we 

n— >oo 

have 



dim(7f) < a 4=> lim inf ^ ^ ^ — - < a 

n—¥ oo Tl 

-«=> (Vfc)(V7V)(3n > N)K{X \ n) < (a(n) + 1 /k)n, 
so DIM-“ is a 77°-class. Also, 



dim (A) > a lim inf — — - > a 

n—> oo Tl 

-<=> (Vfc) (37V) (Vn > N)K(X [ n) > (a(N) - l/k)n, 



so DIM-“ is a 77°-class. Therefore we have the following. 



Proposition 4.1. 7. The class DIM 0 is 77°. 

2. For all A^-computable a G (0, 1], DIM a is a Il^-class. 

3. For arbitrary a G (0,1], DIM“ is a 77° - class. 
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The situation is slightly more complicated for strong dimension. By (2.6), we 
have 



Dim(X) < a 



lim sup 

n — >oo 



K{X \ n) 
n 



< a 



(Vfc) (37V) (Vn > N)K(X \ n ) < (a(N) + 1 /k)n 
(Vfc) (37V) (Vn > JV)(3<7r,i))|7r| < (a(7V) + 1 /k)n 



and U (7r) = X [ n in < t computation steps, 



where U is the fixed universal self-delimiting Turing machine used to define K. 
From this it is clear that DIM^“ £ 77 4. However, the “(3(7 r, f))” quantifier is 
local to the defining predicate, so we have DIM^“ £ 77°, and in fact, it is a 
Tig [77°]— class. Also, 



Dim(A) > a 



v K{X r n) ^ 
hm sup > a 



(Vfc)(V7V)(3?r > N)K(X ( n) > ( d(n ) — 1 /k)n, 



so DIM^“ is a 77°[77°]-class. This establishes the following analogue of Propo- 
sition 4.1. 

Proposition 4.2. 1. The class DIMg tr is 77° [77°]. 

2. For all A^-computable a £ [0, 1), DIM“. r is a 77° [A°]-cZass. 

3. For arbitrary a £ [0, 1), DIM“ tr is a n^-class. 

In the remainder of this section we prove that the classifications in Proposi- 
tions 4.1 and 4.2 cannot be improved in their respective hierarchies. 



4.1 Category Methods 

Recall that a class X is meager if it is included in a countable union of nowhere 
dense subsets of C, and comeager if its complement X is meager. The following 
lemma (implicit in Rogers [19, p341] ) will be useful. 

Lemma 4.3. If X £ 77° and X is dense then X is meager. 

The class RAND of Martin-Lof random sets can easily be classified with 
category methods. 

Theorem 4.4. (folk) RAND is a X^-class, but not a Il^-class. 

As DIM 0 and DIMg tr are dense 77°-classes that have dense complements, 
an argument similar to the one used for Theorem 4.4 shows that they are not 
77°-classes. 

Theorem 4.5. The classes DIM 0 and DIMg tr are not X^-classes. 

We now develop category methods for the other DIM“ classes. For every 
rational s, define the computable order h B (n) = 2^~ s ^ n . Let d be the optimal 
constructive supermartingale. 
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Lemma 4.6. For every rational s £ (0,1), S he [d] is a comeager Il^-class. 
Proof. Notice that S hs [d\ £ X® and S ha [d\ is dense. Now apply Lemma 4.3. □ 

Lemma 4.7. For all a £ (0, 1], DIM“ is meager. 

Proof. Let s < a be rational. Lutz [15] showed that d( s \w) = is 

an optimal constructive s-supergale. It follows that for any A £ C, A £ S hs [d] => 
dim(S') < a. Therefore DIM“ C S hs , so DIM Q is meager by Lemma 4.6. □ 



Proposition 4.8. For all a £ (0, 1], DIM Q is not a Il^-class. 

Proof. If DIM Q £ FI®, then Lemma 4.3 implies that DIM a is comeager, contra- 
dicting Lemma 4.7. □ 

To strengthen Proposition 4.8 to show that DIM“ is not E°, we now turn to 
Wadge reductions. 



4.2 Wadge Reductions 

Let A,BCC.A Wadge reduction of A to B is a function / : C — > C that 
is continuous and satisfies A = f~ 1 (B), i.e., X £ A <£=>■ f{X) £ B. We say 
that B is Wadge complete for a class r of subsets of C if B £ r and every 
A £ r Wadge reduces to B. As the classes of the Borel hierarchy are closed 
under Wadge reductions, Wadge completeness can be used to properly identify 
the location of a subset of C in the hierarchy. 

We now prove that DIM 1 is Wadge complete for JTg. We will then give Wadge 
reductions from it to DIM a for the other values of a. 

Theorem 4.9. DIM 1 is Wadge complete for iTg. Therefore DIM 1 is not a Ug- 
class, and in particular is not a E° -class. 

Proof. One could prove this by reducing a known JTg-complete class to DIM 1 , 
e.g. the class of sets that have a limiting frequency of l’s that is 0 (this class was 
proved to be JTg-complete by Ki and Linton [11]), but it is just as easy to build 
a direct reduction from an arbitrary JTg-class. 

Let d be the universal constructive supermartingale. Note that we have (cf. 
Proposition 2.1) 

S 2n [d\ C ... C S 2 * n [d] C S 2 ^ n [d] C ... C DIM 1 . 

Let (J fc f) s Ok, s be a ICg-class. Without loss of generality Ok, s 2 Ok , s + 1 for all 
k,s. We define a continuous function / : C — > C such that 
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so that we have 

**un (f(X) <£S 2in [d] 

k s ' 

</=> f(X) £ DIM 1 . 

The image Y = f(X) is defined in stages, Y = (J g Y a , such that every initial 
segment of X defines an initial segment of Y. 

At stage 0 we define Y 0 to be the empty sequence. 

At stage s > 0 we consider X [ s, and for each k we define tk, s to be the 

largest stage t < s such that X \ s £ Ok,t- (Let tk, s = 0 if such a t does 

not exist.) Define k to be expansionary at stage s if tk, s - i < tfc lS - Now we let 

k(s) = min {A: : k is expansionary at s}. There are two substages. 

Substage (a). First consider all strings a extending Y,_ i of minimal length 

with d{cr) > and take the leftmost one of these u’s. Such er’s exist 

1 n 

because S 2WI) [d] is dense. If k(s) does not exist, let a = Y s _ i. 

Substage (b). Next consider all extensions r □ cr of minimal length such that 
d(r \ i) < d(r f (i — 1)) for every \a\ < i < |r|, and d(r) < |r|. Clearly such r 
exist, by direct diagonalization against d. Define Y s to be the leftmost of these 
t. This concludes the construction. 

So Y a is defined by first building a piece of evidence cr that d achieves growth 
rate on Y and then slowing down the growth rate of d to the order n. 

Note that / is continuous. If X £ ua Ok, si then for the minimal k such that 
X e f) s Ok, s , infinitely many pieces of evidence cr witness that d achieves growth 
rate 2^ n on Y, so Y DIM 1 . On the other hand, if X Ufc D s @k,s then for 
every k only finitely often d(Y s ) > 2eI F s I because in substage (a) the extension 
cr is chosen to be of minimal length, so F ^ Sh k [d\. Hence Y £ DIM 1 . □ 

As RAND is a A^-class, we have the following corollary (which can also be 
proved by a direct construction). 

Corollary 4.10. (Lutz [15]) RAND is a proper subset o/DIM 1 . 

In order to establish the existence of Zi^-computable sequences of any /in- 
computable dimension a € [0, 1), Lutz [15] defined a dilution function g a : C — >■ 
C that is computable and satisfies dim(g Q (X)) = a ■ dim (A) for all X G C. 
Applying this to any Zi [[-computable Martin-Lof random sequence (which must 
have dimension 1) establishes the existence theorem. (We note that g a (X) has 
the same Turing degree as X. Since by the Low Basis Theorem of Jockusch 
and Soare [18, Theorem V.5.32] there are Martin-Lof random sets of low degree, 
we immediately obtain that there are low sets of any An-computable dimension 
a.) As g a is continuous, it is a Wadge reduction from DIM 1 to DIM“ if a > 
0. Combining this with the previous theorem, we have that DIM“ is Wadge 
complete for JT[[ for all An-computable a £ (0, 1). We now give a similar dilution 
construction that will allow us to prove this for arbitrary a £ (0, 1). 
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Let X £ C and let a £ (0, 1). Write X = X 1 X 2 X 3 . . . where \x n \ = 2n — 1 for 
all n, noting that \x\ ■ ■ ■ x n \ = n 2 . For each n, let k n = and y n = 0 kn . 

We then define f a (X) = x\y\X 2 y 2 ■ ■ • x n y n ■ ■ ■ . Observe that f a is a continuous 
function mapping C to C . We now show that it modifies the dimension of X in 
a controlled manner. 

Lemma 4.11. For any X £ C and a £ (0, 1), dim(/ Q (X)) = a ■ clim(X) and 
Dim(/ a (A)) = a ■ Dim(X). 

The function f a establishes the completeness of DIM“. 

Theorem 4.12. For all a £ (0, 1), DIM“ is Wadge complete for U 3 . Therefore 
it is not a X^-class, and in particular not a S^-class. 

Proof. By Lemma 4.11, f a is a Wadge reduction from DIM 1 to DIM“. Therefore 
DIM a is Wadge complete for 77 3 by composing f a with the reduction from 
Theorem 4.9. □ 



For lack of space, we state the following theorems without proof. 

Theorem 4.13. For all a £ [0,1), DIM“ tr is Wadge complete for 11®. Therefore 
DIM“ tr is not a 17° -class, and in particular is not a S^[IIi]-class. 

Theorem 4.14. RANDg chnorr is a Il^-class, but not a S^-class. 



Theorem 4.15. RAND comp is a Il^-class, but not a 27° -class. 

4.3 Ad Hoc Methods 

When the level of the class in the effective hierarchy is not the same as the level 
in the classical hierarchy one often needs to resort to ad hoc arguments. One 
might think that the notion of effective Wadge reduction, or recursive functional, 
would be the proper notion to use in classifying classes of reals in the effective 
hierarchy. However, this notion is rarely useful for the following reason. Let X 
be a class without computable elements, such as the class of Martin-Lof random 
sets or the class of 1-generic sets. Then X cannot be proven to be complete for 
any level of the effective hierarchy by a recursive Wadge reduction /. For if X is 
recursive, then so is f(X), so we can never have X £ C <;=> f(X ) £ X. So we 
see that “easy” classes like C that contain recursive elements cannot be reduced 
in such a way to many “difficult” classes, which renders the notion rather useless. 

We have left open the question whether DIMg tr is not in 77°, and whether 
DIM“ tr is not in 77° for any Z\°-computable a £ [0,1). We have no answer to 
the second question, but we provide an answer to the first in the next theorem. 
We make use of the following lemma: 

Lemma 4.16. If X £ 77° is dense then there is a computable X £ X. 
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Proof. This is an easy finite extension argument. Suppose that X = {X : 
(ym)(3k)R x 1= 1} £ 77 ° is dense. (Here R is a computable predicate. 
Note that R does not have to be defined with oracles X that are not in X.) 
Given any initial segment r such that 

(Vn < m)(3k)R T (m, k)f= 1, 

we show how to compute an extension cr □ r such that 

(3k)R a {m,k)i= 1. (4.2) 

Because X is dense, there are X □ r and k such that R x (m. k) f= 1. Let u be 
the use of this computation, i.e. the part of the oracle X used in it. Now define 
a = max{X [w, r}. Then a □ r satisfies (4.2). 

Now it is clear that for every m we can compute appropriate extensions a m 
such that X = (J m a m is computable and (V?n)(3fc)7? <Tm (m, k) 1, so that 

x ex. □ 



Theorem 4.17. DIMg tr is not a 77° -class. Hence it is properly 77° [77°]. 

Proof. Suppose that DIMg tr is 77°. Then, since clearly DIMg tr is dense, by 
Lemma 4.16 it contains a computable real, contradicting that every computable 
real has strong dimension 0. □ 

We conclude this section by summarizing its main results in the following 
table. 





DIM“ 


DIM“ tr 


a = 0 


77° - Z u 2 


77° [77°] - 2% 


a £ (0,1) 


n$ - 2% 


77° [r°] - sfi 


a = l 


n° 3 - 2i 


77°[77°]-(i;°U77°) 


arbitrary a £ (0, 1) 


nl - 2i 





Question 4.18. Is it the case that DIM“ tl . is not in 77° for any Zi^-computable 
a £ [0,1)7 
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Abstract. In [4] a basis for the admissible rules of intuitionistic propo- 
sitional logic I PC was given. Here we strengthen this result by presenting 
a system ADM that has the following two properties. A Padm B im- 
plies that A admissibly derives B. ADM is complete in the sense that 
for every formula A there exists a formula A Padm Aa such that the 
admissibly derivable consequences of A are the (normal) consequences of 
A a- This work is related to and partly relies upon research by Ghilardi 
on projective formulas [2] [3].. . . 



1 Introduction 

An interesting meta-mathematical property of intuitionistic propositional logic 
IPC is the existence of non-derivable admissible rules for this logic. That is, there 
exist rules that, when added to IPC, do not lead to new theorems, but that are not 
derivable in I PC either. We write A V B if A/B is an admissible rule. Some results 
during the last decade have shed some light on the structure of the admissible 
derivability relation U . Rybakov [6] showed that l~ is decidable and Ghilardi 
[3] presented a transparent algorithm. In [4] a simple syntactical characterization 
for h was given. This result implied that Visser’s rules V = {Vn | n = 1, 2, . . .}, 
where 



n n+2 n 

Vn (/\(Aj — » Bi) — > A n+ i V A„ + 2) U \J — > Bi) -A Aj), 

i— 1 j= 1 2—1 

form a basis for the admissible rules of IPC. Intuitively, this means that all 
admissible rules of IPC can be obtained from Visser’s rules via derivability in 
IPC. Here we strengthen this result in the following way. Our aim is to present 
a decent proof system for A , i.e. a system that given 4 PB, tells what are the 
syntactical manipulations one has to apply to A to obtain B. With decent we 
mean something like “as cut-free as possible”. The mentioned characterization 
does not fulfill this aim since it contains a full cut rule: if A U B and BPC, 
then AVC. The form of V does not seem to suggest the existence of a neat cut- 
free Gentzen calculus for U , as the rules Vn violate the subformula property. 
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Although cut elimination might not be possible in full extent, it might however 
still be possible to reach the above mentioned goal in a satisfying way. Here we 
present a result in this direction. We present a proof system ADM such that 
A I~adm B implies d bB. The converse does not hold. However, the system is 
complete in the sense that for every formula A there exists a unique formula 
A Kadm Aa such that 

MB : A hB iff A a b B. 

Thus, given A , once one has obtained A a via ADM, A bB is reduced to A a b B. 
The system ADM is “cut-free” in the sense that it consists solely of “rewriting” 
rules and applications of V . With “rewriting” rules we mean in this context 
simple rules that e.g. infer (A — > B) A (A — > C) from (A — > B A C). In contrast 
to V, all these rules of ADM are derivable admissible rules. Note that this result 
implies that V is a basis for the admissible rules of I PC. However, it is stronger 
in the sense that it provides more information about l~ . 

These results are intimately linked with and inspired by results from Glri- 
lardi’s papers [2] and [3]. In fact, our main theorem heavily relies on results in [3]. 
His results stem from research on unification in intermediate and modal logics. 
To this end he defines in [2] the notion of a projective formula. A formula A is 
called projective if there exists a substitution a such that 

b a A and MB (A b crB o B). 

Projective formulas are very useful in the context of admissible rules because 
of the following property: for every projective formula A, for all formulas B: 
A bB iff A b B. Ghilardi shows in [2] that every formula A has a projective 
approximation II (A) . 77(A) is a finite set of projective formulas that derive A and 
such that for every projective C that derives A there exists D £ n(A) such that 
C b D. It follows from [2] that, like for A a , it holds that AbB iff \/ 11(A) b B. 
However, for our aim of giving a proof system that derives A a from A, it seems 
that the notion of admissible projective sets instead of projective approximations 
is more useful. An admissible projective set for a formula A is a set of formulas 
X such that all formulas in X are either inconsistent or projective and 

A b \J X b A. 

A formula A is inconsistent if A b _L. The special behavior of projective formulas 
w.r.t. admissibility clearly holds for inconsistent formulas too: 

For every projective or inconsistent formula A, for all formulas B: A b B iff 
A b B. If X is an admissible projective set for a formula A, then for all formulas 
B: A bB iff \J X b B. 

Now the main theorems of the paper, Theorem 1 and 2, state the following: 
Theorem 1: A b A Divi B then A ^ B. 

Theorem 2: For every formula A there exists a unique formula A a = V dj(A A ), 
such that dj(A A ) is an admissible projective set for A and A b ADM A A - 

These results have various consequences for other intermediate logics. The 
most interesting one being that V is a basis for the admissible rules for any 
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intermediate logic for which it is admissible. Due to lack of space we are not 
able to include these results here. They are discussed in [5]. The system ADM 
is not yet as elegant and neat, and whence as useful, as one would hope and 
expect. In particular, instead of replacing previously derived expressions, it just 
adds expressions to the initial formula. We hope to be able to present a better 
system in the near future. 

2 Preliminaries 

In this paper we will only be concerned with intuitionistic propositional logic I PC. 
We write b for clerivability in I PC. The letters A, B, C, D, E, F, H range of formu- 
las, the letters p,q,r,s,t, range over propositional variables. We assume T and 
T to be present in the language. ->A is defined as {A — > _L). We omit parentheses 
when possible; A binds stronger than V, which in turn binds stronger than — >. 
A substitution a will in this paper always be a map from propositional formulas 
to propositional formulas that commutes with the connectives. A (propositional) 
admissible rule of I PC is a rule A/B such that adding the rule to the logic does 
not change the theorems of I PC, i.e. Vcr : b a A implies b <jB. We write d bB 
if A/B is admissible. The rule is called derivable if A b B and proper if A B. 
We say that a collection IZ of rules, e.g. V, is admissible if all rules in 1Z are 
admissible. We write A b 7 ^ B if B is derivable from A in the logic consisting of 
I PC extended with the rules 1Z , i.e. there are A = Ai , . . . , A n = B such that for 
all i < n, Ai b A i+ 1 or there exists a a such that crBi/aB i+ i = Ai/A i+ i and 
Bi/Bi + i £ 1Z. A set 1Z of admissible rules is a basis for the admissible rules if 
for every admissible rule A U B we have A b 7 ^ B. 

3 The System ADM 

The aim of the system ADM is to derive a formula A a, which is the disjunc- 
tion of an admissible projective set for A, by applying some syntactical rules 
to A. Intuitively it works as follows. First A is rewritten into a disjunction of 
conjunctions. Under all other rewriting rules that follow it will remain in this 
form, i.e. in each step the algorithm will only change one of the conjuncts of 
some disjunct of the formula. We write these conjuncts as sequents, which are 
interpreted in the usual way as implications. For the outer conjunctions and 
disjunctions we use different symbols, to distinguish them from the symbols in 
the sequent. The symbol is interpreted as conjunction, the symbol “|” as 
disjunction, where | binds stronger than •. Thus e.g. S\ \ S2 • S3 stands for 
Si V (S 2 A 53 ). The interpretation of | as disjunction is in accordance with its 
interpretation in lrypersequent calculi, see e.g. [1]. Our sequents will be of the 
form r, FI => A, where T, II and A are sets of formulas. We denote these sets 
without the {’s and the comma’s. Thus e.g. A (B A C), D => E F is a sequent 
in the sense defined above, and means {A, B A C},{D} => {E,F}. Also, if we 
write r {Ai \ i = 1, 2}, 77 => A we mean r A\ A 2 , 77 => A. We let S range over 
sequents, <9 over expressions of the form Si • S 2 • • • ■ • S n , and A over expressions 
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of the form (9| | 02 | | <9„. The 0 are called conjunction expressions and 

the A are called disjunction expressions. Both 0 and A are considered as sets 
which components are respectively sequents and conjunction expressions. Thus 
e.g. Si ■ S 2 • Si = S 2 • Si . If 0 = Si • S 2 • • S n , the Si are called the conjuncts 

of 0, and 0 is interpreted as the formula S[ A . . . A S' n , where S[ is the formula 
corresponding to the sequent Si. We write S € 0 if 0 is of the form O' ■ S, i.e. 
if S' is a conjunct of 0. For A = 0\ \ 02 \ ■ • ■ | 0 n , the (9, are called the disjuncts 
of A, and A is interpreted as the formula (/\ S\ j V ... V (/\ 0' n ), where 0\ is the 
formula corresponding to (9;. Sometimes we use sequents and conjunction and 
disjunction expressions also for their corresponding propositional formula. If we 
write a sequent but mean a formula, we often leave out the comma between F 
and II since it plays no role in the context of formulas: m => A has the same 
interpretation as r, 77 => A. We write FIT for F U 77. The empty conjunction 
is taken to be T and the empty disjunction is _L. For a formula A we define its 
corresponding disjunction expression (the s for succedent): 

A s A —def ( 5 ^ A'). 

Note that b A -s-A A s a- In fact, following our convention, A s a is interpreted as 
the formula (T — > A) in b A -o- A s a- 

Definition 1. We associate the following sets with a given set T: 

{A | 3B (A -> B e r)} 

{A G r | 3B (A = p-> B)} 

(B^-D ifC=(A^B)^D 
1 C otherwise 

I A-> (A' ->B) if C= (A A A! B) 

1 C otherwise 

j A -a- (A' B) ifC= (A' A A^B) 

1 C otherwise 

Ua->B) A ( A ' -a B) if C = ( A V A' ->B) 

( C otherwise 

For a set r we define F A ^ B = {C A ^ B \ C £ T}. Similarly for the other 
superscripts. 
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LF 



Ln 



R/\: 



RV: 



R 



Res : 



A | 0 (FA^B,n=>A£&) 

a \e ■ r a-> B,n => dd • rB,n^A 

a | e {r,A^ bit => a e&) 
a | 0 ■ r,A^Bn^AA ■ rB,n^A 

a | e (r, n => a a b a & &) 
a | e ■ r AA ,n => aa ■ r AB ,n ba 

A | 0 (F,n => A V BA£0) 

A I 0 ■ r AVB ,n => ABA 

A I 0 (F,n =» A -> BA£0) 

A | 0 ■ AF A ^ B ,n => B A 

A \0 (r, n p A g 0 , pF' ,n' =t 2' e e) 

a | 0 ■ ( r\r p )F',r p nn ’ => aa' 



A | 0 (F, Ft => A £ 0, n > 0, F only implications, F a C A = Ao..A n ) 

Vo: 

a | 0 ■ rn, => A 0 1 . . . | o ■ rn, => A n 

Res stands for resolution. The rule is called after an analogous rule in Ghi- 
lardi’s algorithm CHECK-PROJECTIVITY. The expressions A are called side 
expressions. The conjunction expressions in the inferences that do not occur 
in A are the principal conjunction expressions of the inference. The sequents 
that are explicitly indicated in the rules above, are called principal sequents 
of the inference. Note that rules have in general more than one principal for- 
mula, sequent and conjunction expression. If A/ A' is an instance of a rule 
7?, then we write A I~adm ^ or A b^ DM ^ ^ there are A\ . . . A n such that 
A = A 1 b^ DM . . . b^ DM A n = A ' , we write A I~adm A'. The depth of a disjunc- 
tion expression A in a derivation T> = A i,..., A n is the minimal i such that 
A = Aj. The depth of a conjunction expression 0 in T> is the minimal i such 
that 0 is a conjunct of A*. 

We will be only interested in derivations A s a I~adm A, where the first expres- 
sion is of the special form A s a for some formula A. The A that occur in these 
derivations have some special properties, as we will see in Proposition 1. We 
leave it to the reader to check that the following holds. If A s a Padm A, then for 
all sequents r, II =>■ A that occur in A, the set 77 consists only of implications. 

Definition 2. A set r is called simple if all its elements are implications or 
propositional variables. A sequent T, 77 => A is called simple if m A is simple. 
A derivation in ADM is in normal form if the principal sequents in any Res or 
Vg inference are simple. IfV is the smallest normal form derivation A s a Padm A 
such that for all A b^ DM ^ we have A' = A, then we denote A by Aa- Observe 
that Aa is unique. We denote the set of all disjuncts of a disjunction expression 
A by dj(A). Thus b A -o- V dj(A). We define 



p(A) = {0 \ 0 £ dj(A), 0 has no conjunct (r, 77 => _L) for which 7“ = {Y}}. 
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3.1 Properties of ADM 



All rules of ADM except 77A, 7?V and R —> have a subformula property: the 
formulas that occur in the sequents of the lower expression are subformulas of 
the formulas in the sequents in the upper expression. The reason that e.g. 77V is 
not formulated in the naive way T, 77 => iV BA/T, 77 => ABA (we have left 
out the side expressions), in which case it would have the subformula property, 
is best explained by an example. Consider a formula A = (77 — > p V q) where 
B = (p V q — > r) . Formulating 77V in the naive way would give the following 
derivation. 



7? 



77V 



Vg 



B, - 

B, 



> A 

pv q 

>pq 



B. 



■ pV q\ B, =>p\ B, 



It is not difficult to see that this implies that Aa will contain a disjunct that 
is equivalent to A A (r — > p V q) . The semantical characterization of projective 
formulas given by Ghilardi [2], and recalled in the appendix, shows that neither 
is this formula projective, nor is it inconsistent. Therefore, the naive formulation 
of 77V does not suffice for our purposes. In our case the above derivation will 
become: 



77 



77V 

Vg 



B. 



^4 

pVq 



(P-* r)(q -> r), 



pq 



Lr 



B, -- 

B, => p ■ r 



P_ 

>p 



B. 

I B, 



Q 

- q ■ r 



This shows that the non-projective disjunct will not appear in this way. Similar 
reasons explain the form of 7?A and 7? — >. 

Although there is no subformula property, the situation is not that bad. 
All formulas in the sequents that appear in a derivation from A s a belong to 
the smallest set A that contains the subformulas of A and that is closed under 
the operations , () BvC ', () BA , () AB - Clearly, this set is finite. Note that the 

finiteness of A implies that Aa exists. 

The rule Vg is different from the other rules in that it adds a sequent S 
to a conjunct 0 that is in general not derivable from 0. However, as we will 
see in Theorem 1, the upper expression of the Vg rule admissibly derives the 
lower expression, at least in derivations that start with a sequent of the form 
A s a ■ If in the application of the Vg rule to a sequent 7^,77 => A, the set 77 
is empty, this follows already from the admissibility of the rule V mentioned 
in the introduction. If 77 is non-empty, Vg is a generalization of the rule V. 
In the remainder of this section we show that the admissibility of V implies 
the admissibility of Vg. This is the main ingredient of Theorem 1 in which we 
show that A H A a b A. We need this generalization of V to make the proof of 
Theorem 2 in which we show that dj(AA) is an admissible projective set, work. 



Remark 1. We will need the following consequences of the admissibility of V, 
the verification of which we leave to the reader. If r and S are two sets of 
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implications, it holds, if at least one of the conditions stated below is satisfied, 
that 

rs=>A^ \J (rs=>A). 

AeAUE a 

The conditions are as follows. (1) If T° C A. (2) If for all A G T a there exists 
a B G A such that Ah B. (3) If T° = \/ A. For in this case f\T is equivalent 
(over I PC, and whence over L) to A{d — > B \ \/ A > B £ T, A £ A}. 

Definition 3. For a set of formulas I we denote {A— > B £ II \ A £ 1} by IT 7 . 
For a sequent (T, IT =>• C) we define 

(r, it => A) 1 = r{A g it° | A g T}, n\n I => a. 

For a sequent S we say that another sequent (T, IT => A) is S- correct if VT C 
IT° : S h (T, IT =>■ Z\) 7 . Tor a set of implications IT we define 

FI a = {\J A D \ 3 C(C -> D G II)}, 

i.e. IIa is the result of replacing all antecedents of the implications in II by\/ A. 

n I A = (n I ) A . 

Remark 2. If T, IT => Z\ is S-correct then 5 b T, IT => A If FI is empty, then 
T, IT => Z\ is S-correct iff S' derives T, IT => A 

The reader is advised to first read the proof of Proposition 1 before embarking 
on the following two lemma’s, that may otherwise seem somewhat mysterious. 

Lemma 1. If the sequent T, IT =>■ A is S -correct then for all I C IT a the sequent 
rn I Al II\n I => A is S-correct too. 

Proof. We use induction on |T|. The case |T| = 0 follows from the S-correctness 
of T, IT => A. Suppose |T| > 0. Let S = IT\IT 7 . We have to show that for all 
J C E a 

s i- rn A {A & u a \ A e j}, s\s J => A. (l) 

Pick a C G I and let I' = T\{C} and S' = IT\IT 7 . Note that C S a , 
whence C ^ J and E a U {C} = (Z’ , ) a . The induction hypothesis says that 
m A , n\II I => A is S-correct. This implies that we have for all H C (E') a 

s h rn A {A g (N'T 1 a g it}, => a. ( 2 ) 

Thus we have S b TIT^ {A G (L’ , ) a | A G J}, E'\(E') J => A by taking IT = J. 
We show that 

Sb TIT^Ag | Ag =► A ri7 ^i A e ( r ') a I ^ G J},E'\(E') J . 

Then (1) will follow from (2). Clearly, S b m A => /\II A . Since 17° Cl J = 
(E') a fl J also S b {A G E a \ A G J} => A{^ G (T7 , ) a I A £ S}. It remains 




262 



Rosalie Iemhoff 



to show that S b m A {A € 77“ | A £ J},77\77 j => f\ 77'\(77 ') 3 . Observe that 
77 , \(77') J = 77\77 J UjC-iUlC-iDe 77} since C fL J. Therefore, it suffices 
to show that for all (C — > D) £ 77 we have 

rn* A {A £ 77“ \ a £ j} , s\s J => c -a d. 

The following derivation shows that this holds. 

s b rn % c{A£ ( s') a | a £ j}, 77'\(77') JU{C,} => ^ 
rn £ {A £ ( s') a | a £ j}, r'\(r') Ju{c} =>c -a V a 
rn % (V a -a d){a £ ( s') a \A£j}, r'\(r') Ju{c} =>c^d 
rn* A {A £ 77“ | a £ j}, r'\(r') Ju{c} =>c -a d 
rn T A {A £ s a \A£j}, e\s j =>c -a d 

The first step is (2) with 77 = J U {C}. The step from the 3th to 4th line 
holds, as 77“ fl J = (77')“ D J. The step from the 4tlr to 5tlr line holds, as 
77\77 J = E , \(E , ) JU ^ C '\ This proves the lemma. 



Lemma 2. If 77 consist of implications only and the sequent r,n=>AisS- 
correct, then for all I C 77“ : 

s a /\{rn => A | A £ 7} i- \J{rn =>A|Aez\ur°u (77“\7)}. 

Proof. Consider 7 C 77“. Let S' denote S A /\{T77 => A \ A £ I}. Let 77 
denote T77^,77\T7 / and consider the sequent T = (77 => A). By Lemma 1, 
T is S'-correct, whence it is S“-correct. In particular, S' b T. By Remark 1 
S' l~ V{77 =i-i4|4£Zlur a U 77“\7}. Whence we are done once we can 
show that 5“ b m => A for all A £ 77. Clearly, S' b T77 => A for all A £ I. 
Therefore, for all {A — >■ B) £ 77 for which A £ 7, S' b T77 => 77, and whence 
S' \-rn=>\JA—>B. Therefore, S' b m => A for all A £ 77. This proves the 
lemma. 



Proposition 1. If T and 77 are sets of implications such that the sequent 7} 
n => A is S-correct and 7“ C A, then S l~ =>■ D \ D £ A}. 

Proof. The lemma follows from the following derivation. 



V DGA 


(rn 


=> 


D) 


V VasTI 0 


,( 7^77 => A) (Remark 1 and 


2) 


V DeA 


(rn 




D ) 


V Vag 77 « 


,(rn => A) a 






A(V 


dga rn 


‘ => 


v V Ben a ,BjtA(rn => 77 )) 


(Lemma 


2) 


V DaA 


(rn 


=> 


D) 


v V A,Ben a ,AjiB(rn =>■ A) A ( 


rn =a 77 ) 




V DaA 


(rn 




D) 


V A ASTI 0 


frn => A) 






\/ d<eA 


(rn 


=> 


D) 






(Lemma 


2) 
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Lemma 3. If II consist of implications only, S' = (7, II =>■ _L) is S-correct, 
and 7“ — {-L}, then S b _L. 

Proof. Let n = |77“|. With induction to n — |/| we show that for all I C 77“ 

S b /\{A e 77“ | A £ 7} _L. (3) 

Let us first see that this implies the lemma. For all B £ 77“ , (3) gives S I — >B, by 

taking I = {B}. This implies S' h f\II. Also, S h /\T because 7“ = {_L}. The 
S-correctness of S' gives S b (A 777 =>■ _L), by taking 7 = 0. Whence 5bl. 

It remains to prove (3). The case |7| = n follows from the S-correctness of 
( r , PI => _L) and the fact that Sb/\T. The case that |7| < n. By the induction 
hypothesis we have for all B £ 77“\7 that S b B A A{bl £ 77“ | A £ 7} — _L. 
Whence 

VB £ 77“\7 : S b /\{A £ 77“ | A £ 7} -> ~^B. (4) 

This implies that S b A{7l £ 77“ \ A £ 7} — > /\(n\II I ). By S-correctness we 

have 

Sb/\7A /\{A £ n a \ A£ I}, /\(77\T7 7 ) _L. 

Therefore, S b A{^ £ 77“ \ A £ 7} — T. 

Lemma 4. If A s a £adm A and A = 0\ | . . . | 0 n , then for all i < n, all S £ <9j 
are Oi-correct. 

Proof. We use induction to the depth d of A in the derivation V. The case <7 = 0 
follows from Remark 2. Assume d > 0. We distinguish by cases according to the 
last rule of V. Observe that if T, 77 => A is S-correct and if S b P' => P and 
S b r r' A => A' , then r' , 77 => A' is S-correct. This observation suffices for all 
cases except 777 — >•, Vg and Res. We leave 777 to the reader. For the case Vg, 
apply Remark 2. We treat the case Res. In this case the one but last disjunction 
expression in 2? is A' = A" \ 0" ■ r, II => p A ■ pP' , II' => Z\' and 

a = a"\ 0 " ■ r,n^ P A ■ P r',n'=>A' • (r\r p )r',r p nn' => aa'. 

Let 0' = 0" ■ r, 77 => p A ■ P r\ 77' => A' and 

0 = 0 ' ■ (r\r p )r', r p nn’ => a A'. 

For the sequents in A", 0" and the sequents S\ = ( 7,77 => p A) and S 2 = 
(p7',77' => A') the induction hypothesis applies. Whence they are ©'-correct, 
and thus also ©-correct. We consider the remaining sequent of A. Let S = 
r p Iin' . We have to show that for all 7 C E a , 

0 b ( r\r p )r'{A £S a \A£i}, r\r 7 => aa'. (5) 

Let I\ = 7 fi 77“ and I 2 = I D (77')“. Observe that T7\T7 71 and 77'\(T7') 72 
are subsets of S\I 7 7 . The fact that S 2 is ©-correct implies that we have © b 
pT'{A £ (77')“ | A £ I 2 }, 77'\(T7') 72 =» A’. Whence 

©bp ( r\r p )r'{A £E a \A£i}, r\r 7 aa'. 



( 6 ) 
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If p £ 7, then p £ {A £ E a \ A £ 7}. Hence (5) follows from ( 6 ). If p ^ 7 we use 
the fact that Si is 0-correct, i.e. 0 \~ T{A £ 77° | A £ 7i},77\77 /l => p A. Since 
p I , r p C E\E I . Therefore it follows that 

e b ( r\r p )r'{A £ E a \ A£i}, e\e t =► p a (7) 

Combining (7) with ( 6 ) gives (5). 

Note that the previous lemma does not hold without the assumption that 
A s a I~adm A. The special form of the first expression plays a role in the in- 
duction. 

Theorem 1. If A Sj 4 b ADM A b ADM A! then A b A! b A. In particular, A I ~yl A b 
A. In fact, for all rules R except Vg, even A I a D m ^ implies A h A' h A. 

Proof. We use induction to the depth d of the derivation. The proof for A! b A is 
trivial. For A bT, in the case d = 0we have A = A'. For d > 0 we distinguish by 
cases according to the last rule that is applied. We only treat the case Vg. Suppose 
A derived from the application of the rule Vg to A. Suppose A = A" \ 0 ■ S , 
where S = (T, 77 =$■ A) with A = Aq .. . A n and r a set of implications such that 
r a C A. As observed before, the fact that A s a b A QM A implies that 77 consists 
of implications only. For 1 < i < n, let Si = (r 77, =>■ A,). Whence 

A' = A" | 0 ■ S 0 | . . . | 0 ■ S n . 

Therefore, to prove the lemma it suffices to show that 0 AS b V . . . V S n . This 
follows from Lemma 4 in combination with Proposition 1. 

Note that in the previous theorem, the fact that A and A! appear in derivations 
from A s a is crucial: in general, A b^ M JV does not imply A b A! . The previous 
theorem together with the second main theorem, Theorem 2 proved in the next 
section, show that ADM has the properties we want it to have, as discussed in 
the introduction. 



3.2 Properties of Aa 

In this section we discuss only I PC. Whence b and b stand again for b|pc and 
b|pc- Recall from Theorem 1 that A b A a b A. The last fact implies that for 
all disjuncts 0 of Aa we have 0 b A. 

Lemma 5. For every formula A, for every 0 £ dj (Aa)\p(Aa) , it holds that 
b ^ 0 . 



Proof. Let 0 be a disjunct of Aa that is not in p(Aa). Since 0 ^ p{Aa) it follows 
that 0 contains a conjunct ( r , PI => _L) for which r a = {T}. By Lemma 4 
(T, 77 => _L) is 0-correct. Thus by Lemma 3 we have 0bl. 



Lemma 6. For any formula A, every formida in p(Aa) is projective. 
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Proof. Let 0 be one of the disjuncts of A a- We show that if 0 € p{Aa), then 0 is 
projective. We will use Ghilardi’s algorithm, described in the appendix, to show 
this. As Ghilardi remarks in [3], the order in which the steps of the algorithm 
are applied is irrelevant. We will apply them in the following order. 

51 Apply TT, T_L, Tp, TA, TV, T-v, T~ < and the two Simplification Rules. 

52 Apply TT, TT, Fp, FA, TV, Tv and Tv. 

53 Apply the Resolution Rule. 

We apply these steps 51 — 53 as long as possible, and we will not apply 53 (52) as 
long as we can apply 52 (51). When computing the algorithm on a formula A, we 
will initialize with {TA}. The input formulas of the algorithm are conjunctions 
of implications. Thus in this case it would e.g. be (T — > A). According to the 
Initialization we should then start with {TT,TA}. After one application of TT 
we have {TA} instead. Thus we see that starting with {TA} gives the same 
result as starting with the Initialization according to the algorithm. We do this 
only to obtain a smooth induction. Namely, we will show in Claim 1 that when 
applying the algorithm in this order to 0, for every set O that is created there 
exists a conjunct So = (T, FI => A) of 0 with certain properties. Then we show, 
Claim 2 and Claim 3, that this shows that either all output sets of 0 contain 
atomic modalities or 0 ^ p(Aa). By Theorem 4.2 of [3] (cited here as Theorem 4) 
all formulas for which all output sets contain atomic modalities are projective. 
This then proves the theorem. We denote {A £ T | TA ^ O} by T\TO. For 
X,Y,Z £ {T,T+,T C } or X,Y,Z £ {F,F+,F C }, XYO denotes XOUYO and 
XYZO denotes XO UYOUZO. 

Claim. For every O that is created and not removed there exists a conjunct 
So = {r,n =>■ A) of 0 that satisfies the following properties: 

(a) TT+O c rn 

(b) A = FF~F c O 

(c) \/B £ ( m\TO ) ( B is an implication and 0 b f\ T c O -A B) 

(d) V(T -v C) £ (r\TO)(B £ A U {T}). 

Proof. With induction to the number of sets that were created before O. 

The Initialization is clear. We consider the induction step. We distinguish by 
cases according to the step Si in which O is created. Assume O is the result of 
an application of a rule to O' or, in the case of Res to (O', O"). The induction 
hypothesis for O’ implies that there is a conjunct So 1 of 0 that satisfies (a) — (d) 
w.r.t. O'. Clearly, the Simplification Rules do not have to be considered. Observe 
that we can also omit the rules T~> and Tv. As they can be seen as consecutive 
applications of T — > and T1 or T -> and TT respectively. 

51. O is the result of an application of one of the rules TT, TT, Tp, TA, 
TV and Tv to some formula in O'. In the cases TT and Tp we take So = So'- 
In the case TT, O' is removed, so O does not exist. We treat the cases TA and 
TA and leave TV to the reader. In the first case T A is applied to some formula 
T(B AC) £ O'. By (a), S 0 > = (TT A C,II => A) for some T, 77, A. We let 
So = (TBC, II => A). This sequent is a conjunct of O by the rule LA. We 
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leave it to the reader to check that So satisfies (a) — ( d ). For the case T — >, O 
is the result of an application of T— > to some formula T(B —> C) in O' . By (a), 
So' = (F B — > C, II => A) or So> = (.T, B —> C 77 =>• A). Assume we are in the 
first situation. The second one is analogous. We have 

O = 0'\{T(B -> C)} U {T C {B -> C),FB} or 0 = 0'\{T{B -> C)} U {TC}. 

In the first case, take So = {T B ^ C, n => B A). In the second case take 
So = (F C, II => A). The rule LB in ADM guarantees that So is a conjunct 
of <9. We leave it to the reader to check that in both cases So satisfies (a) — ( d ). 

52. O is the result of an application of FT, FT, Fp, FA, FV or F — > to 
some formula in O' . We treat the cases FA, F — >. The case FV is similar to the 
case FA. First, the case FA. Then FA is applied to some F(5AC) £ O'. By ( b ) 
S 0 ’ = (F, 77 => B AC A). Thus 

O = 0'\{FB A C} U {FB} or O = 0'\{FB A C} U {FC}. 

For reasons of symmetry we only have to consider one case, suppose the first one. 
The rule RA in ADM implies that O has a conjunct F BA , 77 => B A. Let So be 
this conjunct. To see that (a) holds, note that since 51 cannot be applied, there 
are no formulas TC in O' and whence in O. It is easy to see that ( b ) holds. For (c), 
observe that formulas in F, if replaced in going from So 1 to So , are only replaced 
by equivalent formulas. Whence the induction hypothesis applies. For (d), note 
that formulas (B A C — > D) £ F are replaced by (B — > (C — > D)) £ F Ba . 

Second, the case F — >. There is some F(B — > C) £ O such that 

O = 0'\{FB C} U {TB, FC} or 0 = 0'\{FB -> C} U {F C (B -> C)}. 

By (6), So> = (F, II =$■ B — > C A). In the first case take So = (B F s_>c , II => 
C A). This is a conjunct of O by R — >. To see that (a) holds: since 51 cannot 
be applied to O', there are no formulas of the form TD in O except TB. ( b ) 
is easy. The only problematic case for (c) might be formulas (B — > C) — > D £ 
F. However, note that the fact that O b T c O' -A (( B — > C) — > D) implies 
O b T c O -A (C — > D). For (d), observe that formulas (B — > C) — > D £ F are 
replaced by (C -A D) in r B ^ c . In the second case take So = So '■ Here we 
leave the verification of (a) — ( d ) to the reader. 

53. O is the result of applying the Resolution Rule to (0',0"). By (a) and 
(6) we may assume that So 1 and So" have the following form. 

So 1 = (F, II => p A) and So" = (pF',17' => A'). 

Note that since 51 and 52 cannot be applied, both sequents are simple. We take 
So = (F\F P )F', r p Iin' =>■ AA'. Note that this sequent is a conjunct of O by 
the rule Res and the fact that 5o' and So" are simple (recall that we assume 
the proof to be in normal form). We leave the verification of (a), ( b ) and (c) to 
the reader. For (d), observe that the only possibly problematic case would be 
formulas (p — > A) £ F. However, for these formulas the property (d) does not 
have to hold anymore, because of their place in So- This finishes the proof of 
the claim. 
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Claim. If an algorithm set O contains only context modalities, and F c O is non- 
empty, then O is removed by the Simplification Rule. 

Proof. Let So = (T, 77 =>■ A). By (c) this implies that T77 consists of impli- 
cations only. By ( b ) and the fact that O contains only context modalities, A 
consists of implications and propositional variables only. In particular, So is 
simple. Note that ( b ) implies that A is non-empty. By (d), r a C A. Whence the 
rule Vg implies that there exists an A £ A such that (7\Z7, => A) is a conjunct 
of 0. By (c), 0 b T c O Whence 0 b T c O — > A. Since A € F c O, this 

shows that O will be removed. This proves the claim. 

Claim. If an algorithm set O contains only context modalities, and F c O is empty, 
then 0 contains a conjunct (T, 77 => ) with T° = {_L} . 

Proof. Let So = (T, 77 => A). By ( d ), r a = {_L}. By (b), A is empty. This 
proves the claim. 

Observe that if 0 contains a conjunct ( r , 77 => ), then it also contains a conjunct 
(r, 77 => _L). Since 0 £ p{Aa), it does not contain such conjuncts. Therefore, 
Claim 3 implies that if an algorithm set of 0 contains only context modalities, 
then F c O is non-empty. Claim 2 implies that this set will be removed. This 
proves that all output sets of 0 contain atomic modalities. 



Theorem 2. For every formula A, the set dj{AA) is an admissible projective 
set for A. 

Proof. By the previous lemma and theorem, all formulas in dj(AA) are either 
projective or inconsistent. By Theorem 1 we have A 0 \/ b A. 
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A Appendix 

In [2] introduced the notion of a projective formula. The paper contains the 
following useful semantical characterization of projective formulas. For Kripke 
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models K\, ... , K n we denote by (JA Ki)' the Kripke model which is the result of 
attaching one new node below all nodes in K[ . . . . , K n , at which no propositional 
variable is valid. We say that two rooted Kripke models are variants of each 
other when they have the same domain and partial order, and their forcing 
relations only possibly differ at the roots. A class of rooted Kripke models has 
the extension property when for every finite set of Kripke models K\ , . . . , K n in 
this class, there is a variant of (^A Kf)' which is in this class as well. 

Theorem 3. (Ghilardi [2]) A formula is projective if and only if its class of 
models has the extension property. 

In [3] Ghilardi presents an algorithm called CHECK-PROJECTIVITY that 
checks if a formula is projective. We will use this algorithm in the next sec- 
tion to show that the formulas in p(Aa) are projective. In this section we will 
state the algorithm and cite the results in [3] that we will need in the next sec- 
tion. Thus this section is a recapturing of results in [3]. Only at one point, which 
we will indicate, our notation differs slightly from the one used by Ghilardi. In 
this section b stands again for Hpc- 

An input formula A of the CHECK-PROJECTIVITY algorithm is assumed 
to have the form /\(A, — > Af) (w.l.o.g. one may assume that all formulas have 
this form). The algorithm manipulates sets O, O' of so-called signed subformulas 
of A. A signed formula is an expression of the following six kinds: TB, FB , T C B, 
F C B , p + , p~ , where B is a subformula of A and p is an atomic formula. (Ghilardi 
uses x for atomic formulas, and A and r for the sets we denote by O). Signed 
formulas of the form TB , FB are called truth modalities, signed formulas of the 
form T C B , F C B are called context modalities and signed formulas of the form p + 
or p~ are called atomic modalities. Signed formulas express conditions on models 
K: TB (FB) means that B is true (false) at the root of K , T C B (F C B) means 
that B is true in the context of K (the context of K are all nodes different from 
the root), p + is a synonymous of Tp and p~ means that p is false at the root and 
true in the context of K. If O is a set of signed subformulas then K \= O means 
that K matches all the requirements expressed by O. A set O is inconsistent iff 
it contains either F c T or TB and FB, or TB and F C B , or p + and p~ , or Tp and 
p ~ or p + and Fp, for some B or some atomic formula p. For sets O, TO is the 
set of truth modalities of O, T + 0 is the set of atomic modalities of O and T c O 
is the set of context modalities of O. For X, Y, Z G {T,T + ,T C }, XYO denotes 
XO U YO and XYZO denotes XOUYOU ZO. The sets FO, F~0 and F c O 
are defined in a similar way. 

The algorithm analyzes reasons for which we may have that A is false in the 
root and true in the context of a given model. From the rules of the algorithm 
given below it is easy to deduce that the following Soundness lemma holds. We 
will not need this lemma, but thought it instructive to state since it captures 
the idea behind the algorithm. 

Lemma 7. Let A be the input formula and Oi, ... , O n a stage of the algorithm. 
If I\ is a model such that k \= A for all k € K different from the root, then 
I< A iff (K \= Oi or ... or K f= O n ). 
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The CHECK-PROJECTIVITY Algorithm. (The names that are given to 
the rules do not come from Ghilardi, but for our purposes it is convenient to 
have them available.) 



Initialization 



{TAi,FA[}, ..., {TA n , FA' n } 



T 



F 



T A 



Tableaux Rules 

Oi, • • • , Oj U {TB\ A B 2 }, ■ ■ ■ , O n 
0 1 ,...,0 J U{TB 1 ,TB 2 },...,0 n 

Oi, . . . ,Oj U {TT }, . . . ,O n 



T T 



Sj 5 • • * 5 O n 



TV 



F A ■ 



Oi, ... ,Oj, 

0 1 .. ...0 j U{TB 1 VTB 2 },...,O n 

Ox OjU {TBi}, Oj U {TB 2 }, . . . , O n 

01.. .. ,Oj U {T_L}, . . . ,O n 
T± 0 1 ,...,O j - 1 ,O j+1 ,...,O n 

01. . . ■ , Oj U {E-Bi A FB 2 }, . . . , On 

Oi, . . . , O, U {FBi}, Oj U {FB 2 }, . . . , O n 

0 1 .. ...0 j U{FT},...,0 n 



FT 



FV 



FT 



0 1 . . . . , Oj— 1 . , . . . ,O n 

0 \, . . . , Oj U {.F-Bi V .B2}, • • • j O n 
0 1 ,...,0 J U{FB 1 ,FB 2 },...,0 n 

01.. .... 0jU {FT},..., O n 
O \ ■■ ■ ■ ■ Oj , . . . , O n 

0\, ■ ■ ■ , Oj U {TBi -a -B2}) • • • ) O n 



O u ...,OjU {FB 1 ,T C B 1 -t B 2 }, Oj U {TB 2 } ...,O n 

O u ■ ■ ■ , Oj U {FBi -v B 2 }, . . . , O n 
Oi, . . . ,Oj U {Ec^i — t B 2 }) Oj U {T-Bi, FB 2 }, . . . , O n 

01. . . . ,Oj U {T~>B}, . . . ,O n 

T " 0 1 ,...,0 i U{FB,T c ^B},...,0 n 

01. . . . , Oj U {F-iB}, ... ,O n 

Ox, • • • , Oj U {E c -R}, Oj U {TB}, . . . , 0„ 
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Fp 



0\,. . . , 0 :j U {Tp}, . ..,O n 

I V ; 

Ox,...,Oj U{p+},...,O n 
U {Fp},...,O n 

Oi, . . . , Oj U {p-}, Oj{F c p }, . . . , O, 



Resolution Rule 

Oi, ■ • ■ , Oj U {p + }, ...,OjU {p~}, ...,O n 

Oi, . . . , Oj U {p + }, . . . , Oi U {p-}, . . . , O n , Oj U Oi U {T c p} 

Simplification Rule 

0\,...,0j,...,0 n 

0\ , . . . , Oj—i , O j -\- 1 , . . . , O n 
provided A A f\T c Oj b C, for some C € F c {Oj). 

Auxiliary Simplification Rule 

0±,...,0j,...,0 n 

0\ , . . . , Oj— i ■ O jj - 1 O n 

provided Oj 7) O,; for some z ^ j or provided Oj is inconsistent. 

Ghilardi shows that the algorithm terminates after a finite number of steps. The 
following theorem is the one we will need. It is Theorem 4.2 of [3]. 

Theorem 4. ( Ghilardi [3]) A is projective iff each of its output sets contains at 
least one atomic modality. 
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Abstract. Using a recent result by Hesse we show that for any fixed 
linear-time temporal formula the dynamic model checking problem is in 
Dyn-TC°, a complexity class introduced by Hesse, Immerman, Patnaik, 
containing all dynamic problems where the update after an operation has 
been performed can be computed by a DLOGTIME-uniform constant- 
depth threshold circuit. The operations permitted to modify the tran- 
sition system to be verified include insertion and deletion of transitions 
and relabeling of states. 



1 Introduction 

Usually, a model checking problem is defined as follows. Given a transition sys- 
tem and a system specification, also called property, check whether the system 
has the property. This is motivated by the fact that in order to ensure that a 
piece of hardware or software is correct one checks that it has certain desirable 
properties. Looking more closely one observes that as the system evolves during 
the design process the desirable properties are checked over and over again, be- 
cause properties once true can be made false by a modification and properties 
once false hopefully become true. This gives rise to a dynamic view of model 
checking and motivates a dynamic version of the model checking problem: re- 
compute the truth value of the property in question after a modification of the 
system. Clearly, the recomputation may be facilitated by keeping around auxil- 
iary data, but then this must also be adapted as the system is modified. From a 
theoretical point of view it is now interesting to determine how difficult the re- 
computation is (both the mere recomputation of the truth value of the property 
and the update of the auxiliary data), that is, how efficiently the recomputation 
can be carried out. In the present paper, this is studied in a very specific setting, 
namely when the properties are specified in linear-time temporal logic. 

We work in the logical framework of dynamic complexity provided by Hesse, 
Immerman, and Patnaik [11,8]. In this framework, hereafter called the HIP ap- 
proach, the problem instances as well as the auxiliary data are represented by 
relational structures, and the changes to the auxiliary data are described in an 
appropriate logic (of low complexity). For instance, Hesse and Immerman show 
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in [8] that a dynamic version of the circuit value problem is complete for Dyn-FO, 
the class of dynamic problems where the update can be described by a first-order 
formula. The most sophisticated result, which is also the basis for our classifi- 
cation of the model checking problem, is Hesse’s Theorem [7], which says that 
dynamic graph reachability is in Dyn-TC° or, equivalently, Dyn-FO (Count) [9]. 
This means that the update can be carried out by threshold circuits of constant 
depth or first-order logic with counting, respectively. 

Graph reachability is almost like LTL model checking; recall that in the 
automata-theoretic approach to LTL model checking [17] a given formula (its 
negation) is converted into a Biichi automaton, then a product of this automaton 
and the transition system is built, and finally an emptiness test for the resulting 
Biichi automaton, which amounts to a number of reachability tests, is carried 
out. This explains briefly how we obtain our main theorem that says that the 
formula complexity of dynamic LTL model checking is in Dyn-TC. 

The situation with model checking is somewhat more complicated than with 
graph reachability, because we also consider the possibility of relabeling states 
(which is similar to adding and deleting nodes) whereas Hesse is mainly inter- 
ested in adding and removing edges. 

To the best of our knowledge, there are as yet no non-trivial results on the 
dynamic complexity of model checking. (This is somewhat different for the re- 
lated area of dynamic graph problems and the dynamic evaluation of database 
queries with transitive closure, see, e.g., [3,5,10,12].) Concrete dynamic model 
checking algorithms (as opposed to complexity results) have been dealt with in 
various papers, see, e.g., [14,15,16]. The most recent results on dynamic graph 
reachability are by Roditty and Zwick [13]. 

This paper is organized as follows. In Sect. 2, we review the HIP approach, 
in Sect. 3 we review LTL model checking, Sect. 4 describes how dynamic model- 
checking can be reduced to dynamic selective transitive closure, a problem specif- 
ically tailored for our purposes, and, finally, Sect. 5 explains why dynamic se- 
lective transitive closure is in Dyn-TC 0 , which also proves that dynamic LTL 
model checking is in Dyn-TC 0 . 

For background on circuit complexity, descriptive complexity, and model 
checking, see [18], [9], and [2], respectively. 

2 Dynamic Complexity Framework 

In this section, we provide the necessary background on dynamic complexity by 
looking at examples; for detailed information, see [8] . As stated in the introduc- 
tion, we use the HIP approach and modify it slightly in order to be able to treat 
computation problems — in [8], only decision problems are considered. 



2.1 Background on Descriptive Complexity 

Our entire approach is based on descriptive complexity, and we start off with 
some background on this. 
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We are only interested in relational structures A where the universe, denoted 
|M|, is an initial segment of the natural numbers, that is, |A| = {0, 1, . . . , n— 1}. In 
addition, we assume that every structure is provided with the built-in predicate 
< (with the natural interpretation) and the built-in predicate BIT^ 2 \ which may 
be used to query the binary representation of the numbers building the universe: 
BIT' 4 (i, j) holds if the jth bit of i is 1. Moreover, we assume the structures have 
at least 2 elements, and we identify 0 with false and 1 with true. Structures of this 
kind will be referred to as arithmetic structures. Given a relational vocabulary r, 
we write Strucpr] for the set of all arithmetic structures with vocabulary r (more 
precisely, with vocabulary r U {<,BIT}) and Struc„ [r] for all such structures 
with n elements. 

For specifying properties of arithmetic structures, we only consider first- 
order logic, denoted FO, and extensions thereof. Our main theorem involves 
FO [Count], the logic obtained from FO by adding so-called counting quantifiers 
3 ixcj) with the meaning “there exists i many x such that (j) holds” and where the 
occurrence of i is free. 

Observe that already in FO, with the built-in predicates < and BIT, it is 
easy to express addition and multiplication on the universe, see [9], as well as 
the boolean operations on the subuniverse {0, 1}. This is the reason why in the 
following we will use + and • freely in our first-order formulas as well as boolean 
operations on terms meant to denote boolean values. 

An important fact, which ties the logical approach to the computational side, 
is the following. 

Theorem 1 ([1,4]) In FO[Count], one can express exactly the properties that 
can be computed by DLOGTIME-uniform polynomial-size constant- depth thresh- 
old circuits. 

2.2 Dynamic Problems 

The basic idea is that a dynamic problem is specified by (1) a set of operations 
that can be used to build instances of the problem and (2) for every sequence of 
operations a solution to the instance represented by this sequence. A particular 
aspect of the HIP approach is that the problems are parametrized according to 
the size of the input; we will use n to denote this size. 

As an example, we consider the problem dynamic transitive closure, Dyn- 
TransClos, where we are interested in computing (maintaining) the transitive 
closure of a binary relation, which we view as the edge set of a directed graph. 
The graph can (dynamically) be constructed by deleting and inserting edges. 
Therefore, we use the vocabulary E tc = {lnsert (2 \ Delete*^} of two binary oper- 
ators. For the parameter n, the set of operations for constructing the instances 
of DynTransClos is then given by 

s n = {lnsert(«, j) \ i,j < n} U {Delete^, j) \ i,j < n} . (1) 

The transitive closure of a graph is simply a binary relation on the vertex set of 
the given graph, which is why for representing the solutions to the instances we 
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will use structures over the vocabulary r tc = { C ^}. For any n, the solutions 
are described by the mapping 

4 C : « ^ K: u G {£%)*, G Struc„ [r tc ] (2) 

where A^f represents the transitive closure of the graph obtained from the empty 
graph with n vertices by inserting and deleting edges as described by u. 
Formally, our dynamic problem is now given by 

DynTransClos = ( E tc , T tc , (s^ c }„) . (3) 

In this paper, we will be interested in two other dynamic problems as well, 
namely selective transitive closure, DynSelTransClos, which we introduce 
below, and a family of model checking problems, for each LTL formula </> a 
problem DynLTLModCheck^, which we introduce in the subsequent section. 

DynSelTransClos is a modification of DynTransClos where we try to 
model that vertices can be added and removed. To this end, we imagine that 
the vertices of the graph in question can be in two different states, selected or 
unselected. In determining the transitive closure only edges incident with selected 
vertices can be used. In other words, we only consider paths with selected nodes 
on them, also called active paths. Formally, we set 

£ stc = £ tc U {Select^, Deselect^} , (4) 

r stc = r tc , (5) 

and have 

sf-.u^AT, «G(£f)*, G Struc„[r stc ] (6) 

where A® tc represents the transitive closure of the graph obtained from the empty 
graph with n vertices by performing the operations listed in u. 

In fact, we are interested in a variant of DynSelTransClos, denoted Dyn- 
SelTransClos,/,, in which the set of selected vertices of the initial graph is 
described by a fixed first-order formula ip. That is, the operation sequence u G 
(I7* tc )* is applied to the graph on n vertices with no edges and with vertex i 
selected iff ip(i) holds. 

2.3 Dynamic Programs 

An algorithm for solving a dynamic problem will usually maintain some auxiliary 
data structure where crucial information is stored. For instance, we will see 
that for computing the transitive closure Hesse maintains counts of paths of 
certain lengths. In the HIP approach, the auxiliary data structure is modeled by 
additional relations. The computation itself — how the data structure is updated 
when an operation is performed — is then described by appropriate formulas. 

Consider a very simple example, DynDivBy 6, where an element of a struc- 
ture is either selected or not and suppose we want to determine if the number 
of selected elements is divisible by 6. In analogy to before, we choose 
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jjdiv6 _ |S e | ec t(i), Deselect^} , (7) 

T dlV6 = {4 0) }, (8) 

and we have a description of the solutions, 

s div6 : A div6 , uG(r div6 )*, df 6 eStruc n [T div6 ] . (9) 



In order to be able to determine (efficiently) whether or not the number 
of selected vertices is divisible by six we (have to) remember which vertices 
are selected and which aren’t and their count modulo 6. For this purpose, our 
auxiliary data structure will have a unary relation, denoted S, and six boolean 
constants mo, • • • , m 5. The updates of the auxiliary data and the updates of the 
solution relation do are described by simple formulas. For Select(i), we have 



S'(x) := 1 = a: V S(i) , (10) 

m' 0 := (S(i) A Too) V (-iS(i) A ms) , (11) 

m'i := (S(i) Ami) V Amo) > (12) 

m' 2 := {S(i) A m 2 ) V (~<S(i) A mi) , (13) 

m 3 := (5(i) A TO3) V (-i5(i) A m2) , (14) 

m.4 := (S(i) A mi) V (~<S(i) A m3) , (15) 

m' 5 := (S(i) A 777.5) V (~<S(i) A mi) , (16) 

d' 6 := (S'(i) A mo) V ( _, <S'(i) A m^) . (17) 



Note that := is to be read as an assignment where the unprimed variables refer 
to the relations and constants before the operation Select(i) has been carried out, 
while the primed variables refer to the relations and constants after the operation 
has been carried out. Note also that (17) simply says that do and ?rio are the 
same. The entire block of assignments, (10)-(17), is called the dynamic procedure 
for Select. For Deselect, we could set up a very similar dynamic procedure. In 
addition to this, we have to specify the initial interpretation of the auxiliary data 
structure and the result we expect before any operation has been carried out: 



S(x) := False , (18) 

mo := True , mi := False , m2 := False , (19) 

m 3 := False , m 4 := False , m 5 := False , (20) 

d & := True . (21) 



This block of assignments, (18)-(21), is called the initialization procedure. The 
assignments all-together constitute our dynamic program for DynDivBy 6. 



2.4 Dynamic Complexity 

In the HIP approach, dynamic complexity classes are made up from logics. Given 
a logic £, the complexity class Dyn-£ consists of all dynamic problems that can 
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be solved via a dynamic program (as above) where the initial settings and the 
updates are described by formulas from C. 

Hesse’s result, which we rely on here heavily, gives an upper bound for the 
complexity of dynamic transitive closure: 

Theorem 2 ([7]) DynTransClos, is in Dyn-FO [Count] (= Dyn-TC°). 

The equality Dyn-FO[Count] = Dyn-TC° is justified by Theorem 1. 

2.5 Reductions 

Just as in ordinary complexity theory the notion of a reduction is quite useful, 
both for defining completeness and for ease in proving membership in a certain 
complexity class. 

As a simple example, consider the problem DynDivBy3, the obvious mod- 
ification of DynDivBy6. Clearly, divisibility by three can be deduced from di- 
visibility by six if one can double: 3 divides a: iff 6 divides 2x. Therefore, in our 
reduction from DynDivBy3 to DynDivBy6, we will double the universe. — 
One might be tempted to use the simple formula do V m3 as a reduction; this 
does not work because m3 is not part of the specification of DynDivBy6.) 

In general, a reduction from a dynamic problem P = (H, r, (s n } n ) to a 
dynamic problem Q = (T, a, {t n } n ) is composed of 

a universe expansion function, e: N — > N, a polynomial with e(n) > n 
for all n, 

a family {h n } n of reduction homomorphisms h n : JC* — > r*t n y and 
— for each symbol R ^ £ t a first-order result definition R{x 0, . . . , Xk-i) '■= 
4>r(xo, • • • , Xk-i) where f> is in the vocabulary a. 

It is required that the family {h n } n is bounded, that is, there must exist 
some k such that for all n and for all a G S n , |/i„(a)| < k. Moreover, all images 
h n (a) must be specified in a uniform way, say, by a first-order formula. 

In ordinary complexity theory, for a reduction / from L to L' we need that 
x £ L iff f(x) £ L for all strings x. This translates to our dynamic setting 
as follows. For every n, every sequence u £ S n , every k- ary relation symbol 
R£t, and a 0 , . . . , a fe _i < n, we have s n (u) f= R(a 0 , a k _ 1) iff t e ( n )(h n (u)) |= 
4 >Ft(a 0, . . . , a k - 1). 

For the concrete reduction from DynDivBy 3 to DynDivBy 6 we choose the 
above components as follows. The expansion function is given by e(n) = 2 n, the 
reduction homomorphisms are determined by /i„(Select(z)) = Select(z)Select(?r + 
i) and /i n (Deselect(i)) = Deselect(z)Deselect(?z + i), and the result definition is 
simply d 3 := d 6 . 

The important lemma we will need is the following. 

Lemma 1 If P and P' are dynamic problems such that P' £ Dyn-FO [Count] 
and P can be reduced to P' , then P £ Dyn-FO [Count] . 

The proof is similar to the corresponding lemma from [8]; the fact that we 
deal with computation problems is only a technical point. 
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3 LTL Model Checking and Main Result 

We first recall ordinary LTL model checking, then define dynamic LTL model 
checking, and conclude with the description of the automata-tlreoretic method 
for solving the ordinary LTL model checking problem. 

3.1 Ordinary LTL Model Checking 

In ordinary LTL model checking we are given (1) a transition system 

T=(S,P,R,L, Sl ) (22) 

with state set S, set of propositional variables P, edge relation R C S x S, 
labeling function L: S — > 2 P , and initial state sy , and (2) a temporal formula (j>, 
built from the propositional variables in P, boolean connectives and temporal 
operators such as “next” , “eventually” , and “until” , and we ask whether T \= <j>. 

The relation T \= <f> holds if each infinite computation S 0 S 1 S 2 . . . through T 
(meaning so = S/, (sy, Sj + i) £ R for each i) satisfies <f>, where, in turn, this means 
that L(so)L(si)L(s 2 ) •••(=<(’ holds in the usual sense. 

3.2 Dynamic LTL Model Checking and Main Result 

In our dynamic version of the problem defined above, we allow the transition 
system to be changed, but leave the LTL formula fixed. This means we are 
interested in the program complexity of LTL model checking [17]. 

The operations of the dynamic version of the problem defined above with 
fixed formula <f>, DynLTLModCheck^, are insertion and deletion of edges and 
relabeling of the states, more precisely, 

E mc * = { Insert (2) , Delete (2) } U {SetVar^ | UCP} (23) 

where the intended meaning of SetVar;y(i) is that the ith state of the transition 
system gets label U . The solution to the model checking problem is represented 
by a boolean constant, v (for verified), that is 

t™* = {u 0 } , (24) 

and finally, 

sT * : U i ^ Au C \ U £ (r“ C T, AT* £ Struc„[r mc *] (25) 

where sT* (u) |= v iff (j> holds in the transition system with state set {0, . . . , n — 
1}, initial state 0 and edge relation and labeling according to u. 

The main result of this paper is: 

Theorem 3 For every LTL formula <f>, dynamic model checking of the property 
<j), DynLTLModCheck^, is in Dyn-FO [Count] ( = Dyn-TC°). 

The remainder of the paper explains our proof of this theorem. We start with 
a brief review of the automata-tlreoretic approach to model checking. 
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3.3 The Automata-Theoretic Method 

In the automat a-theoretic approach to LTL model checking [17], given an LTL 
formula </>, one first constructs a Biichi automaton 

Ac/, = (Q, 2 P , qi,S, F) (26) 

with finite state set Q , alphabet 2 P , initial state qi , nondeterministic transition 
function S : Q x 2 P — > 2®, and accepting state set F, which recognizes exactly 
all infinite strings over 2 P which do not satisfy <j>. 

Then, in the second step, one constructs the product of the given transition 
system T (as above): 

A Tx<i> =(SxQ,2 p ,s I xq I ,S',SxF), (27) 

where for (s,q) £ S x Q and U C P, 

(s' ,q') £ S'((s,q),U) iff L(s) = U A (s, s') £ R A q' £ 6(q,U). (28) 

This construction guarantees that if the language of A? x $ is empty, one 
can conclude no computation of T violates <p, which means T (= </>, and if the 
language is not empty, one can conclude there exists a computation of T violating 
0, which means T <t>. So, when we denote the language recognized by a Biichi 
automaton A by L(A), we can state: 

Lemma 2 T |= (j> iff L(A Tx <i>) = 0- 

As a consequence, in the third and last step of the automata-tlreoretic ap- 
proach, one checks L(At x </>) for emptiness. 

Observe that in general, the language of a Biichi automaton (Q, S,qj,S,F) 
is non-empty iff there exists q £ F such that q is reachable from qj and q is 
reachable from itself (via a non-trivial path). This can easily be expressed using 
the transitive closure of the underlying transition graph. 

3.4 Outline of Proof 

Our proof of Theorem 3 now goes as follows. The first step is to show that 
DynLTLModCheck^ can be reduced to DynSelTransClos^,, for a certain 
formula ip, using the automata-tlreoretic approach just described. We then show 
that DynSelTransClos,/, is in Dyn-FO [Count], which, together with Lemma 1, 
will complete the proof of Theorem 3. 

4 Reducing Dynamic LTL Model Checking 
to Selective Transitive Closure 

We first show how to model the product Biichi automaton At x <i> as a selective 
graph G in such a way that we will be able to reduce DynLTLModCheck^ to 
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DynSelTransClos,/,. On the one hand we want to decide whether L(At X (I>) = 
0 by considering the transitive closure of G, on the other hand the selective graph 
G should be easily updatable according to the possible changes the transition 
system T may undergo. The main problem here is to handle the relabeling of 
states in T . To cope with this we had to introduce the notion of selective graphs. 



4.1 The Product Automaton as a Selective Graph 

For determining if a transition system T is a model of an LTL-formula <f> it 
suffices to know the transitive closure of the transition graph of the prod- 
uct Biichi automaton Atx 4 >, see Section 3. The edge relation of this transi- 
tion graph is described by (28). In order to reduce DynLTLModCheck^ to 
DynSelTransClos we have to simulate each operation of by a bounded 
sequence of operations from S stc . An insertion or deletion of a transition in T 
can only cause at most \Q\ 2 changes in the transition graph of Atx 4 > and \Q\ 2 is 
independent of the size n of the transition system T. But if we change the label 
of state i of T we may have to change up to n 2 edges in the transition graph 
of A Tx ^. As a consequence, the operations SetVar^ cannot be simulated by a 
uniformly bounded sequence of insertions and deletions in the transition graph 
associated with At x <i>- 

With selective graphs, we can handle relabeling as well. We split up (28) into 
two parts: (i) L(i) = U and (ii) («,«') € R A q' € < 5(q,U), and model the second 
part by transitions and the first part by selecting vertices. 

The selective graph G representing the product Bliclri automaton 

A Tx<l> =(SxQ,2 p ,s I xq I ,S , ,SxF), (29) 

has vertex set V = S x 2 P x Q. There is an edge in G from vertex ( i,U,q ) to 
vertex (*', U' , q') if (ii) holds. So the edges of G represent all possible labelings of 
T at once. Which labeling is actually present is described by the selected vertices 
in G. At any point during the computation, a vertex (i, U,q) € V will be selected 
iff the label of i in T (at that point) is U, reflecting condition (i). 

Then the following lemma holds. 

Lemma 3 L(At x <i>) yf 0 iff there exists q £ F and s € S such that there is an 
active path from (0,L(0),q/) to ( s,L(s),q ) and an active path from ( s,L(s),q ) 
to (s,L(s),q). 

4.2 Reducing DynLTLModCheck to DynSelTransClos 

We may assume that Q = {go, ■ . . , qxp- \ }, that is, the size of Sx 2 P x Q is n-2 m+p . 
We want to encode the vertices of G as numbers in order to encode it as an in- 
stance of DynSelTransClos^,. For this purpose, we identify each element U of 
2 P with a unique number from {0, . . . , 2 m — 1}, where, by convention, 0 represents 
the empty labeling. A vertex (i, U, qj) is encoded as the number i-2 m+p +U -2 p +j. 
We represent the vertex set V of G by the set {0, . . . ,n ■ 2 m+p — 1}. Initially, 
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the vertices of the selective graph G correspond to the initial labeling of transi- 
tion system T, i. e., all vertices i with L(i) = 0 are selected. For the reduction 
from DynLTLModCheck^ to DynSelTransClos^, we have to provide (i) 
the formula ip, (ii) the reduction homomorphisms that map operation sequences 
of DynLTLModCheck^ to operation sequences of DynSelTransClos^,, and 
(iii) the formula that expresses the solution of DynLTLModCheck^ in terms 
of the solution of the corresponding problem in DynSelTransClos,/,. This is 
what we will do in the remainder of this section. 

(i) According to what was said above, we set 

V’('i) = Vj(p <j < p + m -> ->BIT(i, j)) . (30) 

(ii) If we insert the edge (i,j) into T we have to insert the uniform set 
{((z, U, q), (j, U', q')) | q' £ 6(q, U)} into the corresponding selective graph G. If 
we delete edge (i,j) the above set of edges has to be removed. So we can simu- 
late insertion and deletion of an edge in the transition system T by a bounded 
sequence of insertions and deletions in the corresponding selective graph: 

/i(lnsert(z,j)) = lnsert(z • 2 p+m + u\,j ■ 2 p+m + vi) . . . 

...Insert (i ■ 2 p+m + u t ,j ■ 2 p+m + v t ) , (31) 

/z(Delete(z, j)) = Delete(z • 2 p+m + u\,j ■ 2 p+m + V\) . . . 

... Deleted ■ 2 p+m + u t , j ■ 2 p+m + v t ) , (32) 

where {(ui,ui), . . . , = {(2 P ■ U + i,2 p ■ U' + j) \ qj <E S(q it U)j. Note 

that the operation sequences are indeed bounded because t is a fixed number 
not depending on n. 

If we change the label of state i of T to U, we first deselect all vertices of the 
form ( i , •) and then select all vertices of the form (i, U, •). This leads to 



Zi(SetVar{/(i)) = a(3 (33) 

where 

a = Deselect^ • 2 p+m ) . . . Deselect^ • 2 p+m+1 - 1) , (34) 

(3 = Select(i • 2 p+m + 2 P -U)... Select(i • 2 p+m + 2 p -U + 2 m -l) . (35) 

(iii) By Lemma 3 we can express v £ r mc in terms of C £ T stc : 

v := -3x3 y(p in i tia i(x) A psnaiiy) a (C(x, y) A C(y, y)), (36) 

where 

p initial (*^) = Vi(f < p — > (->BIT(x, z)) A Vz(z > to + p — > (“iBIT(a:, z)) , (37) 

PRnal(x) = \J Vz(z < p (BIT(j,z) £A BIT(a’, z)) . (38) 

qj 6F 



Taking everything into account, we have shown the following lemma. 

Lemma 4 For any fixed LTL-formula <f> the problem DynLTLModCheck^ is 
reducible to DynSelTransClos^,. 
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5 DynSelTransClos Is in Dyn-TC° 

The last step of our proof is to show that DynSelTransClos,/, is in Dyn-TC°. 
We clo this by extending Hesse’s proof which shows that DynTransClos is 
in Dyn-TC°. Without loss of generality, we only consider the non-parametrized 
version DynSelTransClos in the following. 

The main idea of Hesse’s proof is to count the number of paths up to a certain 
length between any two vertices of the considered graph. These “path numbers” 
are stored as polynomials whose coefficients stand for the number of paths. To 
use these “path counting polynomials” in the dynamic setting one needs update 
formulas according to the possible graph operations. Hesse, in his paper, pro- 
vides update formulas for inserting and deleting edges and deleting vertices. In 
order to use the idea of the path counting polynomials for DynSelTransClos 
we give an update formula for selecting (and deselecting) vertices. To place 
DynTransClos in Dyn-TC° Hesse represents the counting polynomials as large 
integers and uses the results from [6] to show that one can perform the updates 
on this number representation of the path counting polynomials by a Dyn-TC° 
(or Dyn-FO [Count]) procedure. 

In the following, we explain Hesse’s ideas in more detail and present our 
lemma for modeling the selection of vertices in selective graphs. 



5.1 Path Counting Polynomials 

For vertices s,t of a directed graph G we represent the number of paths between 
s and t by the path counting polynomial 

OO 

fs,t( X ) = ^2PsA k ) xk ( 39 ) 

fc = 0 

where p Sjt (fc) is the number of directed paths from s to t of length k. 

If we insert or delete edges in G the coefficients p s ,t.(k ) of the path counting 
polynomials have to be recomputed. Hesse gives update formulas for the path 
counting polynomials for three operations: insertion and deletion of edges and 
for deleting all edges incident with a single vertex at once. As an example we give 
the update formula for inserting a new edge (i,j) from vertex i to j. By f' s t (x) 
we denote the path counting polynomial after insertion of edge (z, j). With this 
notation, we can state one of Hesse’s results: 



= /«.*(*) + f»A x ) £(/,^)*) fe x fjA x ) 



(40) 



In DynSelTransClos we consider selective graphs, which means we count 
only active paths between vertices: in our setting, the coefficient p Sjt (/c) is the 
number of active paths between s and t of length k. In DynSelTransClos there 
are four operations to be considered: insertion and deletion of edges and selection 
and deselection of vertices. For the insertion and deletion of edges and deselection 
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of vertices we can apply the update formulas given by Hesse mentioned above. 
For solving DynSelTransClos we prove the following lemma, where, for a 
vertex i we denote by (?'] and [i) the set of all predecessors and successors of i, 
respectively. 

Lemma 5 Let i be a non-active vertex of graph G and G' the graph G with 
activated vertex i and edge ( i , i) not contained in G. For all vertices s, t of G, let 
f s ,t(x) and f' s t (x) be the path counting power series of G and G' , respectively: 



fsA x ) = £>«.*(*)** . f*A x ) = ^Zp'sA k )x k - 

k—0 k—0 

Then, for i ^ { s , t), 

f'sA X ) = f*A x ) + fs,(i ]( x ) x2 { X] (/[*>, (*]( a; ) a;2 ) fe> ) f[i)A X ) 

where 



\k—0 



fs,(i ]{ x ) — ^ ] fs,u( x ) > 
u£(i] 

f[i)A x ) = T, AAA > 
f\i),(A x ) = AA X ) ■ 

(v,u)£[i)x(i\ 



(41) 

(42) 

(43) 

(44) 

(45) 



Proof (following the proof of [7, Lemma 2]). The main idea is to write p' s t (l) as 
a sum where the j-th addend is the number of active paths of length l from s to 
t containing i exactly j times. 

Each active path from s to 1 in G' of length l containing i exactly once 
(j = 1) can be decomposed into three parts: an active path from s to an active 
predecessor u of i in G of length m, edges (it, i) and (*, v) for an active successor 
of i in G , and an active path from v to t of length l — 2 — m. Thus, the number 
of active paths from s to t in G' containing vertex i exactly once is: 

1-2 

T, Ps dA rn ')p\i)A l ~‘ 2 ~ rn )- ( 46 ) 

m = 0 

This is the coefficient of x l in fs,{i]{x)x 2 f[i)A x )• 

An active path from s to t using i exactly twice (j = 2) can be decomposed 
into an active path from s to an active predecessor u of i, edges (it, i) and (i, v ) 
for an active successor v of i, an active path from v to an active predecessor u' 
of i, edges (v! . i) and (i, v') for an active successor v' of i, and an active path 
from v' to t in G. The number of such paths of length l is: 

1-4 l-4-m 
771=0 0=0 



(47) 
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This is the coefficient of x l in f s ,{i]{x)x 2 f[ i ' ) ^ i ](x)x 2 Generalizing this 
to arbitrary j and summing the respective expressions will yield an expression 
identical with the right-hand side of (42). □ 



5.2 Integer Representation of the Polynomials 

In order to decide whether vertex t is reachable from vertex s by an active path 
we only need to know if there is an active path of length less than n from s to t. 
Thus, we only have to maintain the first n coefficients of the polynomials f a ,t{ x )i 
and these can be extracted from the single number 

n—1 

a s, t = Y.PsAkV (48) 

fc = 0 

2 

where r is large enough. In fact, as Hesse points out, r = 2 n , because then the 
binary representation of a Sj t is merely the concatenation of the binary represen- 
tations of the p s ,t(k )’ s with appropriate padding. 

The update formulas for the path counting polynomials of Section 5.1 can 
be applied directly to compute the updates of their integer representations by 
computing mod r n . Now (40) turns into 



]{aj,ir) h 



ra 






mod 



(49) 



Using the result of [6] that the product of n° W numbers in binary of n ° ^ bits 
can be computed by a TC° (or FO [Count]) procedure we show just as Hesse 
[7] that the update formulas for the integers a Sjt can be computed by a TC° 
program. Together with Lemmas 4 and 1 this completes our proof of Theorem 3. 



6 Conclusion 

In this paper, we have shown that dynamic LTL model checking is in Dyn-TC°. 
This is a first step towards a dynamic treatment of model checking problems from 
a complexity-theoretic point of view. Other model checking problems should be 
considered, and, of course, related problems. For instance, we have not dealt with 
counter-examples (error traces) in this paper, and it is not clear to us how to 
maintain counter-examples explicitly, say, by a function which on input i returns 
the fth state on an error trace. 
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Abstract. Since the typical AI problem of making a plan of the ac- 
tions to be performed by a robot so that it could get into a set of final 
situations, if it started with a certain initial situation, is generally ex- 
ponential (it is even EXPTIME-complete in the case of games ‘Robot 
against Nature’), the planners are very sensitive to the number of vari- 
ables, the inherent symmetry of the problem, and the nature of the logic 
formalisms being used. The paper shows that linear logic provides a con- 
venient tool for representing planning problems. In particular, the paper 
focuses on planning problems with an unbounded number of function- 
ally identical objects. We show that for such problems linear logic is 
especially effective and leads to dramatic contraction of the search space 
(polynomial instead of exponential). The paper addresses the key issue: 
“How to automatically recognize functions similarity among objects and 
break the extreme combinatorial explosion caused by this symmetry,” by 
means of replacing the unbounded number of specific names of objects 
with one generic name and contracting thereby the exponential search 
space over ‘real’ objects to a small polynomial search space but over the 
‘generic’ one, with providing a more abstract formulation whose solutions 
are proved to be directly translatable into (optimal) polytime solutions 
to the original planning problem. 

Keywords: linear logic. 



1 Motivating Examples 

The aim of this paper is to show that the linear logic formalism can automat- 
ically exploit peculiarities of the AI systems under consideration, and achieve 
a significant speedup over the traditional ones by decreasing the combinatorial 
costs associated with searching large spaces. 

There are a number of logical formalisms for handling the typical AI problem 
of making a plan of the actions to be performed by a robot so that it could get 
into a set of final situations, if it started with a certain initial situation (e.g., 
see [17,4,16,9,14,13]). Since the planning problem is generally PSPACE-lrard (it 
is even EXPTIME-complete in the case of games ‘Robot against Nature’ [13]), 
the planners are very sensitive to the number of variables, functions similar- 
ity among objects, and the nature of the logic formalism being used. E.g., the 
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computer-aided planners run into difficulties caused by the combinatorial costs 
associated with searching large spaces for the following planning problems in 
AIPS Planning Competitions [1,2] (their common sense solutions are obvious !). 



Example 1. “Gripper” [1]: There is a robot with two grippers. It can carry a ball 
in each. The goal is to take N balls from one room to another 1 . 

Example 2. “Elevator” [2]: There is an elevator such that only 6 people can be 
board on it at a time. The goal is to move N passengers to their destination. 

The situation becomes much more complicated in the case of the knowledge 
acquisition games where we have to look for winning strategies against Nature, 
as in the following folklore example. 

Example 3. “Shoes”: You have N pairs of shoes in your closet, all identical! And 
your hands are numb so you can’t tell if the shoes that you grab are right or left 
handed (footed). The challenge is to pick out enough shoes to make sure you 
have at least one shoe for each foot. 

Our paper focuses on planning problems with an unbounded number of func- 
tionally identical objects. To address the key issue: “How to automatically rec- 
ognize functions similarity among objects and break the combinatorial explosion 
caused by this symmetry,” we show that a linear logic approach can automati- 
cally aid in detecting symmetries in planning domains, with providing a radical 
reduction of the number of variables, and thereby polynomial solutions to such 
planning problems. 

The main idea is as follows. First, having detected symmetry within a given 
system, we break it by replacing the unbounded number of specific names of ob- 
jects with one ‘generic’ name, so that one can solve a mock ‘generic’ problem with 
a drastically smaller state space (polynomial instead of exponential) but over the 
‘generic’ object. Secondly, each of the mock solutions dealing with one ‘generic’ 
object is proved to be directly translatable into an (optimal) polytime solution 
to the original planning problem dealing with the unbounded number of ‘real’ 
objects. In other words, for a problem in which N objects, say bi,b2,..,bN, can- 
not be particularized, first, we treat them as identical copies of a single ‘generic’ 
object b , with the set {&i, 62, &at} being replaced by the multiset {b,b,..,b} 
(which provides a polynomial search space but over one ‘generic’ b). Secondly, 
having found a solution to the ’generic’ planning problem, we have to convert it 
into a solution to the original problem. 

1 An excerpt from [1]: “STRIPS representation leads to a combinatorial explosion in 
the search space. All planners obviously suffer from this explosion, with the exception 
of HSP that does quite well. Interestingly, HSP plans only transport one ball at a 
time leading to lots of unnecessary move actions ... . IPP has been run with RIFO 
switched on, which excludes one gripper as irrelevant, ie. non-optimal plans are found 
using only the left gripper. . . . IPP and BLACKBOX don’t even provide data on 
the harder problem instances.” 
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Contrary to traditional, a.k.a. set-theoretical, logics, linear logic is capable 
of direct handling multiset constructs. The fact that “two copies of b have prop- 
erty Q” can be directly expressed as the formula ( Q(b ) <g> Q(b ) ) within the LL 
framework, with ® representing the coexistent “and” . But the situation is gener- 
ally more subtle and messy. E.g., a formula of the form ( P(b ) © Q(b)) can be in- 
terpreted ( and used!) in two different ways: “one and the same copy of b has both 
properties P and Q”, or “one copy of b has property P, and another has prop- 
erty Q”. In the case of a single action of the form ( P(z ) © Q(z)) b R(z) (which 
presupposes the former interpretation) the above erasing individuality trick fails: 
a ‘real’ planning problem of the form ( P{b\ ) (g> < 5 ( 62 )) => ( R{b\ ) © R(b 2 )) is un- 
solvable, notwithstanding that the ‘generic’ problem (P(b) g) Q(b)) => R(b) has 
a one-step solution. On the other hand, the latter interpretation is more prefer- 
able in the case where ( P(b ) © Q(b)) describes a ‘generic’ configuration of the 
system. To resolve this conflict, we invoke axioms that are monadic with respect 
to such a 2 . (See Definition 2) 

We illustrate our approach with Example 4, which combines basic features 
of two combinatorially exploded examples “Gripper” and “Elevator” [1,2]. 

Example “Briareus” 2 : A robot has k grips. It can carry a ball in each. The 
goal is to take N balls from one room to another. 

The number of total cases to be investigated in the planning process seems 
to be at least exponential Q(2 N ), since each of the balls, say 6 i,6 2 ,..,6jv, has at 
least two states: “in room 1”, or “in room 2”. But this combinatorial explosion 
stems primarily from the fact that we are dealing with the set {b\, 6 2 , .., & /v} of N 
distinct names. Whereas the balls are supposed to be identical and the initial and 
final configurations are symmetric w.r.t. the ball’s individual names. Therefore, 
we will rather deal with the multiset {b,b,..,b} consisting of N copies of one 
‘generic’ ball 6, bearing in mind that, because of commutativity of multisets, the 
number of the corresponding ‘generic’ cases will be polynomial. Another source 
of a combinatorial explosion fl{2 k ) here is the unbounded number of grips, say 
hi,h 2 ,--,hk- Since the grips are also indistinguishable and interchangeable within 
configurations of the system, the collection of all grips could be thought of as 
the multiset { h , h , .., h} consisting of k copies of one ‘generic’ grip h. 

Let R(x) mean “the robot is in room x”, H (y,z) mean “grip y holds ball z”, 
E (y) mean “grip y of the robot is empty ”, and F (x,z) mean “ball z is on the floor 
of room x”. Here x is of sort, ‘room’, y is of sort, ‘grip’, and z is of sort. ‘ball’. 

The ‘pick up’ action: “Being in room x and having the empty grip y, grasp 
and hold ball z with the y” , is formalized by the following ‘Horn clause’ 

pick(a:, y, z) := (R(x) © E(y) <g> F(a;, z)) b (R(x) © H(y, z)) (1) 

The ‘put down’ action: “Being in room x and holding ball z in grip y, put. the z 
down on the floor, and leave the y empty ”, is specified as 

put(x, y, z) := (R(x) ® H (y, z)) b (R(x) © E (y) (g> F(x, z)) (2) 

2 During the battle against the Titans, Briareus, a hundred-handed giant, took ad- 
vantage of his one hundred hands by throwing rocks at the Titans. Indeed, Briareus 
would have failed if he had wasted his time to particularize the rocks and hands ! 
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The ‘move’ action: “Move from room x\ to room X 2 ”, is axiomatized as 

move(xi, £ 2 ) := R(xi) h R(x 2 ). (3) 

Within the original planning problem in Example 4 

In Ntk (hi,h 2 ,..,h k ,b 1 ,b 2 ,..,b N ) => Goal N (b ll b 2 , -,b N ) (4) 

we look for a plan of actions (l)-(3) that leads from the initial situation “The 
robot is in room 1 with N balls bi,b 2 ,..,bisr, and its grips h\,h 2 ,..,hk are empty”: 

k N 

Injv,fc(/ii) hk, bi , .., 6jv) = (R(l) ® (££) E(hj) <8» (££) F(l, 6j)), (5) 

S = 1 *=1 

into a situation where “All N balls are in room 2 

N 

Goal JV (6 1 ,..,6 JV ):=0F(2,6 i )- (6) 

Z =1 

Now we mock this original (4) with the following ‘generic’ planning problem 

In N>k (h, h.., h, b, b , .., b) => Goal Ar (6, b , 6) (7) 

The advantage of our erasing individuality trick is that the number of all ‘generic’ 
configurations that can be generated from ‘generic’ Injv,fc(/i, h.., h, b, b, b) by 
means of actions (l)-(3) turns out to be O(kN), which allows us to find (in 
polytime) the shortest plans but for the ‘generic’ problem (7) (See Fig. 1). 



IJIecll [2]eell2 \Vee112 |T]ecl2 nf|cc2 IY|cc2 ni££222 




[2]££lll 0ccl \2\ccl \2}fcl2 0££l22 0££l22 |T|£C22 



Fig. 1. The search space for N = 3, k = 2. Here “R(l)” is abbreviated as , “R(2)” 
as ‘{2}% “E (ft)” as “e”, “H(h,b) n as “c”, “F(l,6)” as “1”, and “F(2,6)” as “2”. 

To complete (and justify ) our approach, it still remains to prove that the 
mock ‘generic’ plans found can be easily converted into plans of the actions 
within the real world. 

Suppose we have to translate the following ‘generic’ plan: 

(1) apply pick(l,/i, b) to (R(l) ® E(h) ® E(h) <8 F(l, b) (g) F(l, b) ® F(l, b)), 
resulting in (R(l) ® H (h, b) ® E (h) ® F(l, b) ® F(l, &)); 

(2) apply pick(l,/i, b) to (R(l) ® H(/i, b) ® E(/i) ® F(l, b) 0 F(l, b)), 
resulting in (R(l) ® H (h, b ) ® H (h, b) ® F(l, 6)); 
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(3) apply move(l,2); etc., etc., eventually reaching the ’generic’ goal 
(R(2) 0 E(h) <8> E (ft) ® F(2, b) 0 F(2, b) 0 F(2, 6)). 

[Tjeelll [Tjecll -> [T]ccl -» > \2^e222 

We individualize the ’generic’ names, with providing a path through configura- 
tions in the real world: 

(1) apply pick(l,/i 1 ,6 1 ) to (R(l)0 E(fe 1 ) 0E(/t 2 )0 F(l, &!) 0F(1, & 2 )0F(1, b 3 )), 
resulting in (R(l) 0 H(h 1 ,b 1 ) 0 E(ft 2 ) 0 F(l, b 2 ) 0 F(l, b 3 )); 

(2) apply pick(l, h 2 ,b 2 ) to (R(l) 0 H(h 1 ,b 1 ) 0 E (h 2 ) 0 F(l, b 2 ) 0 F(l, fr 3 )), 
resulting in (R(l) 0 H(/q, b\) 0 H (h 2 , b 2 ) 0 F(l, 63 )); 

(3) apply move(l,2); etc., etc., eventually reaching the real goal 
(R(2) 0 E(/ii) 0 E (h 2 ) 0 F(2, 61) 0 F(2, 6 2 ) 0 F(2, 63)). 

Theorems 1 and 2 provide an easy-to-check syntactical criterion for our erasing 
individuality technique to be automatically correct within Example 4. ■ 

Example 5 illustrates confusing subtleties of asymmetric input-outputs even 
within the same ‘symmetric’ domain of Example 4. 

Example 5. There is a ball in each of two rooms, say ball b\ in room 1, and 
ball b 2 in room 2. A one-handed robot is to exchange these two balls. 

The ‘real’ planning problem in Example 5 is as follows: 

(R(l) 0 E(/h) 0 F(l, h) 0 F(2, b 2 )) => (F(2, 61 ) 0 F(l, b 2 )) ( 8 ) 

Erasing individuality yields the ‘generic’ planning problem 

(R(l) 0 E (h) 0 F(l, b) 0 F(2, b)) => (F(2, b) 0 F(l, 6 )) (9) 

which has a trivial solution “Do nothing” . But such a ‘generic’ solution cannot 
give any clue to the real planning problem (8) . ■ 

Lastly, a more complicated case of a knowledge acquisition game ‘Robot 
against Nature’ is illustrated with the following example. 

Example 6. ‘‘Rouge et Noir A robot deals with N balls wrapped with paper. 
Each ball is either red or black. The goal is to unwrap enough balls to be sure 
to obtain exactly n one-colored balls. 

Let W (z) mean “ball z is wrapped with paper ”, R(A) mean “an unwrapped 
ball z has turned out to be red”, and B(z) mean “an unwrapped ball z is black”. 
The ‘learn’ action: “Unwrap ball z, with its color being revealed ”, is formalized as 

learn( 2 ) := W(z) b (R(z) 0 B(.z)); (10) 

the disjunctive 0-form of which emphasizes that the effect of this unwrapping 
is non- deterministic: the robot does not know, in advance , which colour the ball 
chosen will be of. 

For N balls, say bi,b 2 ,..,b N , let Iipv(&i, .., b N ) = W(bi), 
and Goaljv, n (6i,..,M = ©{q, <S>"=i R (M © ©{q,. <S>"=i B 0b) 
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(here {ii,-.,i n } ranges over all n-element subsets of {l,..,fV}), then the ‘real’ 
planning problem in Example 6 is In/v(6i, 62, 6 at) => Goaljv, n (&i, 62, • 6 jv)- 
Any solution to the problem seems to be at least exponential , since a plan 
we are looking for here is a winning strategy that should envisage all possible 
reactions of Nature on the road from the initial position to a final position, and 
the number of the corresponding ‘red-black’ distributions is fi( 2 N ). 

Our erasing individuality trick yields the mock ‘generic’ planning problem 

In N {b, b , .., b) => Goal N>n (b, b , .., b) (11) 

with Goal at n (b, b , b) = (R (b) 8 ■ • ■ 8 R(6)) ® (B(6) 8 ■ ■ ■ 8 B(6)). 

V V ' V V ' 

n times n times 

The number of all ‘generic’ configurations in question is 0 (N 3 ). Hence, a 
mock winning strategy to (11), if any, can be assembled in polytime in a bottom- 
up manner (see Theorem 4 ). For N = 3 , n = 2 , the result is shown in Fig. 2 . Each 
vertex v prescribes that the robot performs a certain action: its outgoing edges 
show all effects of the action. E.g., at the initial position WWW, learn(&) is applied, 
with two outgoing edges showing two possible Nature’s reactions: RWW and BWW. 



WWW 




Fig. 2. The ‘generic’ winning strategy. Here W stands for W (6), R for R (6), and B for B (b). 



By Theorem 2 , we can convert this ‘generic’ winning strategy into a winning 
strategy over the real world (following this strategy, the robot can never ever be 
punished by Nature’s choice of the color of the three balls): 

(a) At the initial position (W(&i) 8 W(&2) 8 W(& 3 )), apply learn(&i), resulting ei- 
ther in (R(6i) g ) W (62) (8 W (63)), or in (B(&i) (8 W(& 2 ) <S> W (63)). 

(b) At a position of the form (R(&i) (8 W( 6 2 ) <8 W(& 3 )), apply learn(6 2 )- 

(c) At a position of the form (B( 6 i) <8 W( 6 2 ) <8 V(b 3 )), apply learn(& 2 )- 

(d) At a position of the form (R( 6 ff (i)) 8 B( 6 7r ( 2 )) 8 W ( 6 ff ( 3 )) (for some permuta- 
tion 7 r), apply learn(6 OT ( 3 )). 

2 The Disjunctive Horn Linear Logic 

We will use the following syntactical conventions. A number of sorts t\,..,t s 
is assumed. A formula of the form Pi(fi,i, ..jtqfcJ 8 ■ • ■ 8 -P m (t m 1, ..,t m ,fe m ), 
where Pi,..,P m are predicate symbols, are variables or constants of 

the corresponding sorts ti,..,t s , is called an LL-monomial of degree m. The 
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trivial LL-monomial V of degree 0 is allowed, for which X®V = X. Formu- 
las of the form with Z\,..,Zk being LL-monomials, are called 

LL-polynomials . LL-monomials and LL-polynomials are taken modulo commuta- 
tivity and associativity of 0 and ®. A disjunctive Horn clause is a sequent of the 
form X \- (Yi(BY 2 ®- ■ -®Y() where X, Y\,Y%, ..,Y( are LL-monomials (£>1). 
Intuitively, this Horn clause represents a move of a robot based on precondition X 
accomplished by one of the possible responds Yi,Y 2 ,..,Ye of Nature. A Horn clause 
of the form X b Y\ will be also called a pure Horn clause. Let ff z {X) denote 
the number of all occurrences of the z in an LL-monomial X. For LL-monomials 
Yi,Y 2 ,..,Ye, # z (Y 1 eY 2 e---eYt):=mzx{# z (Y j ) \j = l,2,.<J} 

Given a sort r, we will write A(zi, z 2 , .., z n ) to indicate that the list z\,z 2 ,..,z n 
contains all variables of the sort r that occur in the A. By symmetric closure 
A Sym (z 1 ,z 2 ,..,z n ) of a given A(zi, z 2 , .., z n ), we mean the following formula 
@,A{z 7 r(i)> z n( 2 ), ^Tr(n))) where 7 r ranges over all permutations of 

A formula A{z\,z 2 , ..,z n ) is symmetric if, for any permutation n, a sequent of 
the form A(z\,z 2 , .., z n ) h A(z w ^, z n ( 2 ), z -k (n)) is derivable in linear logic. 
The desired property “generic plans => real plans” is represented as follows. 

Definition 1 . Let A be a set of ‘proper axioms’ specifying the theory T. A 
given sort r is said to be generic within AL-theory T, if the following holds: 
whatever variables z,zi,z 2 ,..,z n of sort, r, LL-monomial W(z±,z 2 , ..,z n ), inwhich 
each of the Zi has exactly one occurrence, and LL-polynomial Z(zi,z 2 , .., z n ) such 
that ff Zi (Z) < 1 for each Zi, we take, if a sequent of the form 

W(z,z,..,z) h Z(z,z, ..,z) (12) 

is derivable from A xt by the rules of affine logic 3 then a sequent of the form 

W( Z1 ,Z 2 , .., z n ) h Z S ^ m ( Zl ,Z 2 , .., Zn) (13) 

is also derivable from A xt by the rules of affine logic. 

(a) The condition on the number of occurrences of Z{ makes sense. Let, for 
instance, W(zi,z 2 ) := (P(z 1 ) ® Q(z 2 )), and Z{z\,z 2 ) := (P(^i) 0 Q{z\)). Then 
W(z,z) b Z(z,z) is derivable, but W(zi,z 2 ) h (Z(zi,z 2 ) (B Z(z 2 ,zi)) is not. 

(b) We have need of the permutations in Definition 1. Let, for instance, 
W(z lt z 2 ) := (P(z 1 ) 0 Q(z 2 )), and Z{z 1 ,z 2 ) := {Q{zf) 0 P(z 2 )). 

Then W(z,z) h Z(z,z) is derivable, but W(z\,z 2 ) h Z(zi,z 2 ) is not. 

Proposition 1 . Let r be a generic sort within theory T. Let z\,z 2 ,..,z n be vari- 
ables of sort, t, and W(zi, z 2 , .., z n ) be an LL-monomial in which each of the Zi 
has exactly one occurrence, and Z(z\, z 2 , .., z n ) be a symmetric LL-polynomial 
such that # Zi (Z) < 1 for each Zi . Then for any constants b, b\,b 2 ,..,b n of sort, r 
that have no occurrence in Lxt, W, and Z, the sequent 

W(bi, b 2 , .., b n ) b Z(pi, b 2 , b n ) (14) 

3 Affine logic = linear logic + Weakening rule. 
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is derivable from A xt in affine logic if and only if a sequent of the ‘generic ’ form 

W(b,b,..,b)hZ(b,b,..,b) (15) 

is derivable from Ax? by the rules of affine logic. 

Thus, the original planning problem (If) dealing with a variety of n ‘ real 
objects’ can be fully sorted out in terms of the ‘generic’ planning problem (15) 
dealing with only one ‘generic object’. 

3 ‘Generic’ Plans =>- ‘Real’ Plans 

Definition 2. Let ff T (X) denote the number of all occurrences of variables of 
sort t in an LL-monomial X. 

# T (1 i® ■ • -®Y e ) := ma x{ff T (Yj) \ j = 1, 2, for LL-monomials Y\,..,Y^. 

A disjunctive Horn clause X b (Yi®- • -®Y^) is said to be r-monadic if 
#t(Yl®- • -®Yf) < # T (X) < 1. 



We will use the following strong version of the normalization lemma for Horn 
linear logic (cf. [12]). 

Lemma 1 . Let Axt consist of disjunctive Horn clauses. 

Given LL-monomials W, Z\,Zi,..,Zk, let a sequent of the form W b Z where 
Z = (Zi(B- ■ ■( J)Zk ), be derivable from A xt in affine logic. Then W b Z is deriv- 
able from Ax? by means of the following rules 



( V ® YQ b Z (V® Y 2 ) b Z . . . (V <8>Yf)hZ 
(V 0 X) b Z 



(16) 



(for lb (Y 1 ®Y 2 ®---®Y^) 
LL-monomial) and 



is an instance of a sequent from Ax? , and V is any 



(. Zi ® Z') b Z 



(17) 



(Z' is any LL-monomial) . 



Theorem 1. For a given sort, r, let Axt consist only of r-monadic disjunctive 
Horn clauses. Then sort r is generic within AL-theory T, and, in addition to 
that, whatever z\,Z2,..,z n , variables of sort, r, W(z\, Z 2 , z n ), an LL-monomial, 
in which each of the Zi has exactly one occurrence, and Z(zi, Z 2 , z n ), an 
LL-polynomial such that ff Zi (Z) < 1 for each z z , we take, every AL-proof within 
theory T for (12) can be translated into an AL-proof within theory T for (13). 

Proof. Given an AL-proof for (12), first, by Lemma 1 we translate it into a 
derivation tree with rules (16) and (17). Then we assemble the desired proof 
for (13) by induction on this derivation. Let us sketch the basic case of rule (16). 

Suppose that X(v) b (Yi(ti)®Y 2 (r;)) is a r-monadic Horn clause from Axp, 
and v is a variable of sort r, and for some LL-monomial V (z 2 , .., z n ), the sequent 
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V (z , .., z ) 0 X(z) b Z(z, z , .., z) is produced by rule (16) from the sequents 
V(z , .., z) 0 Yi(z) b Z(z, z , .., z) and V(z , .., z) ® Y 2 (z) b Z(z, z , .., z). By the hy- 
pothesis, two sequents of the form V(u 2 , u n ) ® Yffm) b Z Sym (u\, u 2 , u n ) 
and V(v 2 , v n ) ® Y 2 (v{) b Z Sym (v \,v 2 ,..,v n ) are derivable by rules (16) and 
(17), where u\,..,u n , and vi,..,v n are permutations of zi,..,z n . Since Z Sym (zi, 
Z 2 ,-,z n ) is symmetric, V(z 2 , .., z n ) 0Y 1 (z 1 ) b Z Sym (z 1 , z 2 , .., z n ) and V(z 2 ,.., 
z n ) 0 Y 2 {z\) b Z Sym (zi, z 2 , z n ) are also derivable, and the same rule (16) 
provides derivability of V(z 2 , .., z n ) 0 X(z i) b Z Sym (zi,z 2 , .., z n ). ■ 

3.1 Plans, a.k.a. Winning Strategies 

For the systems with pure deterministic actions, a plan V is defined as a chain 
of the actions [17,4,16]. In order to cover the general case where the actions with 
non- deterministic effects are allowed, we extend this definition to graph plans 
V, in which each vertex v prescribes the performance of a certain action, with 
its outgoing edges showing all possible reactions of Nature. 

Definition 3. Let A xt be a set of disjunctive Horn clauses specifying actions in 
a given robot system. 

A plan V for a given problem W =>• {Z\@- ■ -®Zk) is a finite directed graph 
having no directed cycles such that 

(a) each node v with exactly t>l sons wi,..,wg, is labelled by an instance of 
a Horn clause from Ax^ (representing the action performed at v) of the form 

A'b(y 1 ©---®y < ) (is) 

and by an LL-monomial (representing the position at v) of the form ( X ® V); 

(b) the outgoing edges (v,w i), (v,wf) are labeled by pure Horn clauses 

X b Yi, .., X b Ye, respectively; 

(c) the position each Wj is labeled by must be equal to (Yj 0 V ) (showing all 
possible effects of action (18)); 

(d) there is exactly one node having no incoming edges (the root^; the position 
at the root is W; 

(e) each node v having no outgoing edges (a terminal node) is labeled only by 
LL-monomial of the form ( Z) 0 Z') (representing a final position,). 

In many cases Definition 3 yields the exponential size of winning strategies 
by pure technical reasons, even if they have a uniform structure. Therefore, we 
make Definition 3 more liberal in the following respect. We will allow to label 
any node v by a position pattern of the form (X(z{) 0 V(z 2 , .., z n )), meaning 
that being at a position of the form ( X(ci ) 0 V(c 2 , .. ,c n )), where Ci,C 2 ,.., c n is 
a permutation of b i,b 2 ,.., b n , the robot should apply the corresponding version 
of the action this node v is labeled by. (See Example 6) 

Theorem 2. For a given sort r, let A consist only of r-monadic disjunc- 
tive Horn clauses. Let z\,z 2 ,..,z n be variables of sort r, and W(z\, z 2 , .., z n ) 
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be an LL-monomial in which each of the Zi has exactly one occurrence, and 
Z(z\, Z 2 , .., z n ) be a symmetric LL-polynomial such that ff Zi (Z) < 1 for each Zi . 
Let b, b\,b 2 ,--,b n be constants of sort, r having no occurrence in A xt, W, and Z. 
Then every cut- free AL-proof within theory T for (15) (dealing with one ‘generic 
object ’ b) can be converted (in polytime j into a solution, a winning strategy, to 
the planning problem (If) dealing with n ‘real objects’. 

Proof Sketch. A given AL-proof is transformed into a derivation D for (15) 
with rules from Lemma 1. Because of r-monadicness, each of the sequents in 
this D is of the form U ( b , b) b Z(b , b), for some LL-monomial U(z ±, .., z n ). 
The desired winning strategy S is constructed as follows. 

The left-hand sides U(b,..,b) of different, sequents from D are taken as the 
nodes of S. The position pattern the node U(b , .., b) must be labeled by is defined 
as U(z \, .., z n ). By Djj we denote one of sub-derivations whose root is of the form 
U(b,..,b) b Z(b,..,b) and its height is minimal. Suppose that in Djj its root is 
produced by rule (16) from the sequents just above 

lh{b,..,b)\-Z{b,..,b), ... U e (b,..,b)hZ(b,..,b), 

invoking an instance of a sequent from A xt of the form 

Ib(Fiffi-®F,) (19) 

Then we label this node U(b,..,b) by (19), make arrows from {7(6, ..,6) to each 
of the nodes Ui(b , .., 6), . . . , Ug(b, b), and label these edges by 1 b Yj, . . . , 
X b Y(, respectively. (See Figure 2) 

Notice that the size of the plan S constructed is bounded by the number of 
different, sequents in derivation D. ■ 

Corollary 1. Within Example f, 

the ‘real’ planning problem Injv,fc(/iii ^-2> hk, 6i, 62, b n ) b Goalj\r(6i, 62, b n ) 
can be fully sorted out. in terms of 

the ‘generic ’ planning problem In N,k(h, h, h , b, b, b) b Goal]v(6, 6, .., b) . 

4 Complexity 

4.1 Weighted Balance > EXPTIME Decidability 

The (propositional) disjunctive Horn linear logic is undecidable [12]. By means 
of the “mixed balance” we show here that the planning problem is decidable for 
a reasonably wide class of natural robot systems (cf. [13]). 

Suppose that sorts Ti,...,t to are fixed. Given an LL-monomial X , we define 
its mixed weight u Tl .. Tm (X) as follows: 

u Tl .. Tm (X) = # Tl (X) + • • • + ff Tm (X) + the number of occurrences of 
atomic formulas in X that do not contain an occurrence of a variable of 
either of sorts Ti, ..., r m . 
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E.g., for Y = (R(x) <g>H(y, z)), Vbaii,gri P (Y ) = 3; 
for X = (R(x) ® E(y) 0 F(x, z)), UJball,grip(X) = 3. 

Definition 4. Let A xt consist of disjunctive Horn clauses. We will say that 
hxx is well-balanced if one can find sorts t\, ..., r TO (m>0) such that for any 
sequent X b (Yi0- • -0 Yf) taken from A xj- the following holds: 

W Tl..T m (^ l) — , UJ Tl .. Tm (Y e ) < U Tl .' Trn (X ). 

E.g., the system of axioms in Example 4 turns out to be well-balanced, notwith- 
standing that this system is not well-balanced in the strict sense of [13]. 

Theorem 3. Let A x^ be well-balanced, and D be a derivation for a sequent of 
the form W b Z based on rules (16) and (17) from Lemma 1. Then one can 
construct (at least in EXPTIME) a solution, a winning strategy, to W => Z. 

Proof. Cf. [13]. ■ 



4.2 Monadic & Balanced y Polytime Planning 

Theorem 4. Let A xt be well-balanced, and for a given sort, t, let A xt consist 
only of t - monadic disjunctive Horn clauses. 

Let Zi,Z2,-.,z n be variables of sort, t, and W(z\, z-i, z n ) be an LL-monomial 
in which each of the Zi has exactly one occurrence, and Z(z\, Zi , .., z n ) be a 
symmetric LL-polynomial such that. ff Zi (Z) < 1 for each z z . Let. bi,b 2 ,-.,b n be 
constants of sort, r having no occurrence in Ax^, W, and Z. Then we can de- 
termine in polynomial time whether there is a plan for the problem 

W(h,b2,..,b n )LZ(b 1 ,b 2 ,..,b n ) (20) 

and, if the answer is positive, make such a plan in polynomial time. 

Proof Sketch. According to Theorem 2, it suffices to take a derivation D for a 
“mock” sequent of the form 

W(b,b,..,b)\-Z(b,b,..,b) (21) 

Let m be the string length of the formula W(b, .., b). By Lemma 1, we can confine 
ourselves to derivations D in which all sequents are of the form 
U(b,..,b ) b Z(b,..,b) and the degree of U(b, b) does not exceed m. 

The number of all U{b, .., b) whose degree does not exceed m is polynomial. 
The degree of the polynomial is determined by the number of predicate symbols, 
their arity, and the number of constants in A xt, W(b,..,b), and Z(b,b, ..,b). 

Applying the bottom-up technique, we can construct in polytime a list of 
all U{b, ..,b) used in the proof of Theorem 2, with providing the desired winning 
strategy. ■ 
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5 Yet Another Formalism . . . 

What kind of arguments could we offer about linear logic superiority as a mod- 
eling formalism for the planning domain considered here? 

Schematically, our approach involves the following steps: 




(a) ‘Generic’ Planning Problem => ‘Generic’ Plans 

Since the “mock” search space is guaranteed to be polynomial, on the road 
from a specification of the “mock” generic problem to its solution one can 
choose among a wide spectrum of techniques: direct searching for the short- 
est paths, theorem proving, BDDs, SAT, etc. It should be pointed out that 
we are looking for plans, so that the pure decision procedure is not satisfac- 
tory (as a rule, the pure existence of a plan is almost evident). As compared 
to many existing logic formalisms for planning, the advantage of linear logic 
here is that there is a clear direct correspondence between proofs and plans. 

(b) ‘Generic’ Plans => ‘Real’ Plans 

The idea that any “mock” generic problem can be transformed to a plan 
over the real world seems ‘orthogonal’ to traditional set-theoretical logical 
systems but it can be easily stated, justified and explained in terms of linear 
logic. 

Furthermore, the linear logic approach proposed here is complete in the sense 
that any planning problems with symmetries can be specified (or reformu- 
lated) in terms of the fragment of linear logic consisting of disjunctive Horn 
clauses. 

5.1 Genericness vs. Bisimulation 

Theorem 5. For a given sort, r, let A xt consist only of r-monadic pure Horn 
clauses. 

Then for any variables z, z\,zi,..,z n of sort, r the following holds: whatever 
LL-monomial W(zi, Z 2 , .., z n ) in which each of the Zi has exactly one occurrence, 
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and LL-polynomial Z{z\,Z 2 , .. ,z n ) such that ff Zi {Z) < 1 for each z z , we take, if 
a sequent of the form 

W(z, z, z) h Z(z,z,..,z) (22) 

is derivable from A xt by the rules of affine logic, then for some permutation it, 
a sequent of the form 

W(Zi, Z2 , ■ •, Z n ) I - ©(-Z-n-flp ©r(2)i (n)) (^ 3 ) 

is also derivable from A xt by the rules of affine logic. 

Theorem 5 allows us to automatically detect a certain bisimulation symmetry, 
which can be used to construct a quotient bisimulation partition. There have 
been similar attempts to automatically detect symmetries in other areas such as 
SAT checking [3]. In brief, their approach is to take an exponential state space 
and partition it with respect to the symmetry detected. But the symmetry by 
itself does not help to reduce the number of variables (any representative still 
deals with Zi,Z2,--,z n ). We believe that our approach is more universal, uniform 
and efficient, since from the very beginning we start from a small “mock” space, 
and do not invoke the original exponential space at all. 

Furthermore, Theorem 5 and the bisimulation caused by it fail in a general 
case: 

Example 7. Let Ax^ consist of the following axioms: 

f A © P(z) L(z) © C © R{z) 
l B © P{z) R{z) (24) 

y C © P(z) b D © L(z) 

Then a “mock” sequent of the form A © P(6) © P(b) b D © L{b) © R{b) is deriv- 
able from (24), but neither A © P{b\) © P{b 2 ) bD© L{b\) © R{b 2 ) nor 
A © P{b\) © P{b 2 ) bD© L(6 2 ) © R(bi) is derivable from (24) by the linear logic 
rules. 

Indeed, Theorem 1 provides derivability from (24) for a sequent of the ‘sym- 
metric’ form 

A © P(b i) © P(b 2 ) bfl© L(b i) © R(b 2 ) 0 D © L(b 2 ) © R(b i). 

6 Concluding Remarks 

We have shown that the linear logic formalism can automatically exploit pecu- 
liarities of the AI systems under consideration, and achieve a significant speedup 
over the traditional ones by decreasing the combinatorial costs associated with 
searching large spaces. 

We have established a clear and easy-to-check syntactical criterion for de- 
tecting symmetry in planning domains, and developed techniques to break it by 
construction of a more abstract formulation whose solution can automatically 
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aid in solving the original problem, with providing, in particular, a radical reduc- 
tion of the number of variables, and thereby polynomial solutions to the original 
planning problems. 

These results in some sense are “orthogonal” to traditional logical systems 
but are easily specified and handled in terms of linear logic, making bridge from 
human common-sense reasoning and problem solving to computer-aided planning 
and to the ability of the automated systems to reason effectively in complex but 
natural domains. 
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Abstract. In this paper we address long standing open problems of 
Bergstra and Tucker about specifications of abstract data types by means 
of equations and conditional equations. By an abstract data type we 
mean the isomorphism type of an algebra. An algebra is algebraically 
specified if the algebra can be defined uniquely, in a certain precise sense, 
in terms of a finite number of conditional equations by allowing functions 
that are not in the original language of the algebra. We provide full solu- 
tions to Bergtsra and Tucker problems, explain basic ideas, methods, and 
the logical dependencies between blocks of proofs used in our solutions. 



1 Background 

In this paper we outline the basic ideas that lead to complete solutions of long 
standing open problems of Bergstra and Tucker about specifiability of abstract 
data types by means of finite number of equations and quasiequations. The prob- 
lems were formulated in the early 80s (e.g. see [1]). The first problem is concerned 
with finding equational specifications for abstract data types. In 1987 Kasymov 
solved the problem in [7] by constructing a specific computably enumerable (c.e.) 
algebra. In [9], the author revisited Kassymov’s proof by providing a natural ex- 
ample of a c.e. algebra, whose construction is based on Kolmogorov complexity, 
that also solves the problem for equational specifications. However, the second 
more general problem about specifications of abstract data types by conditional 
equations (we call them here quasiequations) has since been open. In this pa- 
per, we give precise formulations of the problems, a necessary background, and 
provide basic methods and ideas used in the solutions of the problems. 

The modern theory of algebraic specifications has advanced significantly since 
the early 80s and now possesses its own problems and directions for research. 
Originally born as a theory for reasoning about abstract data types by means of 
formal methods and algebraic techniques, the area now covers new methods for 
specifications and programming concepts (e.g. object-oriented, aspect-oriented, 
agent-oriented, lriglrer-order logic and functional programming) with the goal of 
providing foundations for correctness of programs. See for example, recent series 
of proceedings of the Workshop on Algebraic Development Techniques for the 
current state of the area. However, in the area there are some open problems of 
foundational character, and the the problems addressed in this paper are among 
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such, that are still needed to be answered. The foundational nature of such 
problems naturally requires a deep analysis of basic underlying concepts (for this 
paper these concepts are the precise definitions of absratct data type, equational 
and quasiequational specification, computation, and deduction) and the use of 
advanced modern techniques and tools of mathematics for the solutions of the 
problems (for this paper techniques of modern computability theory and algebra 
are used). So, we assume that the reader is familair with standard notions from 
universal algebra (such as congruence relation, finitely generated and finitely 
presented algebra, homomorphisms, veriety and quasiveriety, free algebra), logic 
(equations, quasiequations, proofs), computability (c.e. sets, simple sets, basics 
of priority argument constructions), and computable model theory (computable 
and c.e. algebra, c.e. presentable algebra). All these are in the basic textbooks 
and introductory chapters from Gratzer [5] , Goncharov and Ershov [6] , and Soare 
[11]. Of course, we provide necessary definitions. A good survey on abstract data 
types and algebraic specifications is Wirsing [12]. A basic paper that underlines 
the logical and algebraic foundations of the problems is Bergstra and Tucker [2] . 

Now we outline this paper. Further in this section, we provide the formulation 
of the problems and some background. For completeness of our exposition Sec- 
tion 2 briefly outlines the proof for the case of equational specifications (which 
as mentioned above solved one of the questions of Bersgtra and Tucker). Finally, 
Section 3 is devoted to describing the proof line for the case of quasiequational 
specifications. Some of the proofs are technical and lengthy, especially the proofs 
of results in the last section. Therefore we outline basic ideas of the proofs and 
give appropriate references in which full proofs are presented. We also concen- 
trate on the relationship between the basic blocks of the proofs, and explain 
methods of algebra and computability that are used in solving the problems. 

An algebra is a structure of a finite purely functional language (signature). 
Thus, any algebra A is of the form (A; /„), where A is a nonempty set 

called the domain of the algebra, and each /$ is a functional symbol that names a 
total operation on the domain A. Often the operation named by /) is also denoted 
by the same symbol /> . We refer to the symbols / 0 , ...,/„ as the signature of the 
algebra. The Presburger arithmetic (oj; 0, S, +) is an algebra, so are groups, rings, 
lattices and Boolean algebras. Fundamental structures that arise in computer 
science such as lists, stacks, queues, trees, and vectors can all be viewed and 
studied as algebras. A foundational thesis that connects abstract data types 
(ADTs) with algebras and forms the basis of the work in algebraic specifications 
is the following stated as a definition. 

Definition 1 . An abstract data type (ADT) is the isomorphism type of an 
algebra. 

Often abstract data types are defined to be the isomorphism types of many 
sorted algebras. We note, however, that the specification problems have fully 
been solved for many sorted algebras (see [1]), and hence for the purpose of this 
paper we omit the case for algebras with many sorts. 

Let a be a functional finite language (signature) with at least one constant 
symbol. An equation is an expression of the form p = q, and a quasiequation 
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is an expression of the form (Szi <ul pi = qf) — t s = t, where p , q, s , t are terms of 
the signature. These terms may contain variables. An equational specification 
is a finite set E of equations. A quasiequational specification is a finite set Q 
of quasiequations. In this paper the word specification refers to either equational 
or quasiequational specification unless otherwise stated. 

Let T{a) be the absolutely free algebra generated by the er-constants. Ele- 
ments of this algebra are called ground terms. Let S be a specification. Ground 
terms t\ and f -2 are =s-equivalent if t\ = can be proved from S (within the 
first order logic). The relation =g is a congruence relation on T(c r), and hence 
one can factorize T{a) by =g. We denote this factor algebra by E(S). In uni- 
versal algebra E(S) is called the zero generated free algebra of the quasivariety 
determined by S. 

From a programming point of view S is thought to be a specification of an 
abstract data type that is being (or need to be) implemented. One thinks of S as 
a set of axioms needed to be satisfied in all implementations of S. Indeed, often 
when a programmer implements an abstract data type, e.g. stacks or queues or 
lists, the specification requirements put on the abstract data type are most likely 
equational or quasiequational in nature. For example, a specification requirement 
that relates push and pop operations in a stack abstract data type states that 
for any stack s and any item i the equaltity pop(push(s, i), i) = s is true. 

Definition 2. An algebra A is specified by a specification S if A is isomor- 
phic to the algebra E(S). If the specification S is an equational specification then 
the algebra A is equationally specified. If S is a quasiequational specification 
then the algebra A is quasiequationally specified. 

The arithmetic (ui, 0, S, +, x) is an equationally specified algebra, and the 
equations that specify this algebra are the known recursive definitions of + and x 
together with commutativity, associativity, and distributivity axioms. Similarly, 
the term model for combinatory logic is an equationally specified algebra; this 
is an algebra of the signature (K,S,I,-), where K , S, I are constant symbols 
and • is a binary operation all satisfying the following equations: {K ■ x) ■ y = x, 
((S ■ x) ■ y) ■ z = (x • z) ■ (y • z), I • x = x. Finally, all finitely presented algebras 
(such groups or rings) are examples of specified algebras. 

In order to study specified algebras we need to employ some notions from 
computable algebra and model theory. Let A = (A, fo, . . . , /„) be an algebra. For 
each element a £ A introduce a new constant symbol c a that names the element 
a itself. The atomic diagram of A is the set of all expressions of the type 
fi(c) = d or fi(c) 7 ^ d which are true in the algebra A. The positive atomic 
diagram of A is the set of all expressions of the type /,(c) = d which are true 
in the algebra A. The algebra A = (A; /o, . . . , /„) is computable if its atomic 
diagram is a computable set. The algebra A = (A; / 0 , . . . , /„) is computably 
enumerable (c.e.) if its positive atomic diagram is a computably enumerable 
set. It is not hard to see that computable algebras are the ones isomorphic to 
algebras of the type (w, / 0 , . . . , /„), where each /) is a computable function on 
u. Clearly, every computable algebra is c.e., and the converse does not generally 
hold true. Here are some examples of c.e. algebras: 
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1. Any specified algebra, such as the arithmetic or the term model for combi- 
natory logic. 

2. The Lindenbaum Boolean algebra of any c.e. first order theory, such as the 
Peano arithmetic. 

3. Any finitely presented group, and in fact any finitely presented algebra. 

A computably enumerable (c.e.) algebra A can be explained as follows. As the 
positive diagram of A can be computably enumerated, the set E = {(c a , c&) | a = 
b is true in algebra A} is computably enumerable. Hence the equality relation 
in A is c.e. Let / be a basic n-ary operation on A. From the definition of c.e. 
algebra, the operation / can be thought as a function induced by a computable 
function, often also denoted by /, that is well-behaved on the ^-equivalence 
classes in the following sense: for all x\, . . ., x n , yi, . . ., y n if ( Xi,yi ) € E, then 
(f(x i, . . . , x n ), f(yi, . . . , y n )) £ E. Therefore, a natural way to think about A is 
that the elements of A are Fl-equivalence classes, operations of A are induced 
by computable operations. This reasoning suggests another equivalent approach 
to the definition of c.e. algebra explained in the next paragraph. 

Let E be a c.e. equivalence relation on u>. A computable ?i-ary function / 
respects E if for all natural numbers X\, , . ., x n and yi, . . ., y n so that (xi, yi) £ 
E, for i = 1, . . . ,n, we have (/(ari, . . . , x n ), f(yi , . . . , y n )) £ E. Let oj(E) be the 
factor set obtained by factorizing u> by E , and let /o, ••■,/« be computable 
operations on u> that respect the equivalence relation E. An .E-algebra is then 
the algebra (u>(E), To, . . . , F n , Co, . . . , c m ), where each F t is naturally induced by 
fi and each Cj is a constant symbol. It is now not hard to show that an algebra 
A is c.e. if and only if A is an E-algebra for some c.e. equivalence relation E. 

An algebra is computably presentable if it is isomorphic to a computable 
algebra. Similarly, an algebra is c.e. presentable if it is isomorphic to a c.e. al- 
gebra. In the literature c.e. algebras are sometimes called semicomputable data 
structures [1] or positive algebras [6]. Thus, if one thinks of an ADT as an 
algebra then a computable or c.e. presentation of it can be identified with a 
machine-theoretic (or program-theoretic) implementation of the ADT. The the- 
orem below, a classic result of universal and computable algebra, outlines the 
basic properties of specified algebras: 

Theorem A If the algebra A is specified by specification S then A satisfies the 
following properties: 

1. For ground terms t\ and t. 2 , we have A \= t\ = t 2 iff S proves t± = t 2 - Hence, 
A is a c.e. algebra. 

2. A satisfies S. 

3. For any algebra B that is generated by cr-constants and satisfies S there exists 
a unique homomorphism from A onto B. 

4- If B is specified by S then A and B are isomorphic. 

The first part of the theorem tell us that all the positive facts about the 
ADT A specified by S can be computably enumerated. The second part tells 
us that A is a correct implementation of S. The third part tells us that A 
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is, in a natural sense, the universal implementation among all data structures 
that satisfy S. Finally, the last part is the uniqueness property of the specified 
algebra. Therefore, often A is called the initial algebra of S and our approach 
to specification of abstract data types is called the initial algebra semantics 
method. 

There is one fundamental difference between equationally specified algebras 
and quasiequationally specified algebras. For equationally specified algebras the 
third part of Theorem A can be conversed: if A is equationally specified by 
E and B is a homomorphic image of A then B is generated by cr-constants 
and satisfies E. This difference is the main reason why the proof for equational 
specification problem, outlined in the next section, fails to solve the problem for 
quasiequational specifications . 

Let us consider the following algebra (w, S, 2 X , 0). This algebra is computable 
and finitely generated but does not have an equational specification (see [2]). 
An important fact is that one can enrich this algebra by expanding its signature 
and consider the following expanded algebra (ui, S, 2 X , +, x , 0). Now this algebra 
is equationally specified: the natural recursive definition of +, the definition of 
x via +, and the definition of 2 X via x do the job. 

The observation above suggests the idea of adding more functions to the origi- 
nal signature. This allows one to possess more flexibility in finding a specification 
of the algebra in an appropriate expansion. We would like to stress that the use 
of expansions of the original signature is a common and powerful tool that has 
been employed in pure model theory, algebra, and real programming practice. 
For example, in model theory expansions are used in constructing models with 
different properties, e.g. constructing saturated models, finding expansions that 
have elimination of quantifiers (e.g. expansions by Skolem functions), etc. In 
programming practice the use of expansions is a usual and natural routine. For 
instance, after an ADT is implemented by a code it is often the case that one 
would like to add more functionality to the code. This essentially amounts to 
adding extra methods to the program which, by its nature, is an expansion of 
the ADT implemented. 

Let A be a c.e. algebra, and let /j, . . ., /„ be computable functions (well 
behaved with respect to the equality relation on A). Then the algebra B = 
(A, /i, . . . , f n ) obtained by adding the operations /j, . . ., f n to A is called an 
expansion of A. The signature a U < f\. , f n > is an expansion of the original 
signature. The algebra A is called a reduct of B. An important result is the 
following theorem proved by Bergstra and Tucker in [1]: 

Theorem B Any computable algebra A possesses an expansion that can be 
equationally specified. 

The proof consists of two steps. The first step assumes that all original func- 
tions / of A are primitive recursive. Hence each / is defined in terms of a se- 
quence of functions (called a definition of /) using primitive recursive schemata 
and the operation of composition successively applied to the basic functions: the 
successor, projections, and constants. The expansion is then obtained by adding 
the names of all the functions which participate in the definition of /. This ex- 




304 



Bakhadyr Khoussainov 



pansion of A is then specified because the definition of / can be transformed 
into a specification of /. In the second step it is assumed that there is a non 
primitive recursive original operation. This is then reduced to the first step by 
using a primitive recursive enumeration of the graph of the operation. Bergstra 
and Tucker have a significant improvement of the result: any computable algebra 
has an equational specification with 6 new functions and 4 equations only [3] . 

The theorem above tells us that the initial algebra semantics method is sound 
for the class of all computable algebras. Of course, not every finitely generated 
c.e. algebra is computable, and by this reason Theorem B does not cover the 
general case. This leads us to the formulation of the following three problems 
whose solutions are discussed in the next sections. The first question (called 
subproblem) is a test case as any answer to the question should exclude com- 
putable algebras by the theorem above. The last two questions form the problem 
of Bergstra and Tucker. 

Subproblem: Is it true that any c.e. algebra has an equationally specified ex- 
pansion ? 

Note that the subproblem is not restricted to finitely generated c.e. algebras. 

Problem 1 [2]: Does any finitely generated c.e. algebra have an equationally 
specified expansion? 

Problem 2 [2]: Does any finitely generated c.e. algebra possess a quasiequation- 
ally specified expansion? 

To the reader the questions may remind the known Higman’s embedding 
theorem stating that any recursively presented group (that is finitely generated 
c.e. group) can be embedded into a finitely presented (that is equationally spec- 
ified) one. However, in Higman’s theorem the underlying domain of the group is 
allowed to be extended to a bigger domain; this is prohibited in the questions 
of Bergstra and Tucker above. In addition, in Higman’s theorem the embedding 
preserves the group structure; this is relaxed in the questions of Bergstra and 
Tucker as expansions are allowed to be arbitrary computable functions. 

Finally, we would like to stress that the specification problems discussed in 
this paper arose from investigations related to the study of semantics of pro- 
grams, which is a part of a bigger theme in computer science: correctness of 
programs (e.g. see [10]). Our methods which solve the specification problems 
use basics from universal algebra and standard techniques from modern com- 
putability theory, thus providing an example of interactions between applied 
and theoretical computer science, algebra and logic. 

2 Solution of Problem 1 

We first give our solution to the subproblem proved in [8]. The proof gives a 
negative answer to the subproblem. We need two notions. An algebra is locally 
finite if any finite subset in it generates a finite subalgebra. A set X of natural 
numbers is hypersimple if it is computably enumerated, co-infinite, and there 
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does not exist a computable function / : to — > to such that /(?') > at for all i , 
where ao.asi, . . . is the enumeration of the complement of X in strictly increasing 
order. 

Theorem 0 There exists an infinite algebra A any c.e. presentable expansion 
of which is locally finite. 

Proof (outline). Let X C ui be a lrypersimple set and 1 £ X. Consider now 
the unary algebra (A, /) that satisfies the folloing properties: 1. / : A — >• A is a 
bijection; 2. For every x £ X there exists an n such that f n (x) = x and all the 
elements x, f(x), . .., f n ~ 1 (x) are pairwise distinct. Call the sequence x, f(x), 

. . ., f n ~ 1 (x) an orbit of size n. 3. For every n € X the algebra does not contain 
an orbit of size n. 4. For every n fL X the algebra contains exactly one orbit of 
size n. Clearly, these properties define A uniquely. 

The algebra A has a c.e. presentation. Indeed, take a computable algebra 
(oj, f) such that for every n > 1 the algebra has exactly one orbit of size n. 
Now consider the following equivalence relation rj on this algebra: (a:, y) £ y iff 
either x = y or both x and y belong to orbits 0\ and O 2 , respectively such that 
the of 0\ and the size of O 2 are both in X. The equivalence relation is a c.e. 
congruence of the algebra. Hence the factor algebra is a c.e. presentation of A. 
Now, assume that B is an expansion of A such that B is a c.e. algebra. Then if 
there was a finite subset in B that generated an infinite subalgebra then the set 
X would not be hypersimple. □ 

Note that the theorem above gives us a negative answer to the subproblem 
in a strongest possible way. Indeed, it shows that all c.e. implementations (that 
is, presentations) of A. and not just one, fail to be equationally specified. The 
failure is not because c.e. implementations of A are bad but rather the intrinsic 
property of the algebra itself. 

The next theorem solves Problem 1 in negative. This shows that the initial 
algebra semantics method with equational specifications is not sound for the 
class of all finitely generated c.e. algebras. For a detailed proof see [7] or [9]. 
Recall that a set X of natural numbers is simple if it is co-infinite, computably 
enumerable, whose complement does not contain an infinite c.e. subset. 

Theorem 1. There exists a finitely generated c.e. algebra such that every ex- 
pansion of the algebra is not equationally specified. 

Proof (outline). Let X C to be a set. Consider the factor set lu(X) whose 
elements are the equivalence classes of the equivalence relation y(X) defined as 
follows: y(X) = X 2 U {(x,x) \ x £ to}. Thus, each element of tu(X) either is a 
singleton or is X 2 . Here is the first lemma which we provide without a proof: 

Lemma 1. There exists a finitely generated c.e. algebra A(X) such that the 
domain of A(X) is co(X) with X being a simple set. 

The proof can be found either in [7], where X is constructed directly, or in 
[9] where the algebra A(X) is constructed by using Kolmogorov complexity. A 
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point of note is that X can not be hypersimple which is consistent with the 
previous theorem. 

The next lemma is due to Malcev. We say that an algebra A is residually 
finite if for any a,b £ A with a ^ b there is an onto homomorphism h : A — > B 
such that h(a) ^ h(b) and B is finite. Here is now the next lemma: 

Lemma 2. If an algebra A is equationally specified and residually finite then 
the equality relation in the algebra is decidable. 

Note that the equality problem for A(X) is not decidable because X is not a 
computable set. The next lemma, given without proof, essentially uses the fact 
that uj \ X contains no infinite c.e. subset (such sets are called immune sets). 
The lemma is a good example of interactions between two seemingly not related 
notions: immune set from computability theory on the one hand, and residually 
finite algebra from universal algebra on the other. The full proof is in [7] or [9]. 

Lemma 3. Any expansion B of A(X) is residually finite. 

Thus, the lemmas above show that the algebra A(X) is a desired one thus 
proving the theorem. □ 

An important comment is that for quasiequational specifications the proof of 
the theorem above fails because, as has been mentioned, the second lemma stated 
above fails for algebras specified by quasiequations. Therefore, a new point of 
view is needed for the study of Problem 2 to which we now turn our attention. 



3 Solution of Problem 2 

Most of the algebras constructed in this section have signature < c, f,g >, where 
c is a constant and /, g are unary function symbols. Therefore the readers can 
restrict themselves to this signature while reading this section. However, we 
formulate the results (where possible) for any finite functional signature cr with 
at least one constant symbol. 

Let (a, b ) be a pair of an algebra A. Consider the minimal congruence relation, 
denoted by r](a, b) and called a principal congruence, containing the pair. We 
now give an inductive definition of almost free algebras. 

Definition 3. The absolutely free algebra iF(a) is almost free. Assume that 
A is almost free. Then the factor algebra obtained by factorizing A by ij(a,b), 
where (a, b) is any pair in A, is almost free. 

Thus A is almost free if and only if there exists a sequence Ai, . . ., A n of 
algebras and the sequence (a i, &i), . . . , ( a n , b n ) of pairs of elements such that A\ 
is JF(cr), each Ai+ 1 is obtained by factorizing Ai by 77 ( 0 ,, 6 ,), and A is obtained 
from factorizing A n by r](a n ,b. n ). We call the sequence (ai, 61 , ),-••, (a n , b n ) a 
witness sequence for A to be almost free. The reason in introducing almost free 
algebras is the following. The desired counterexample that solves Problem 2 is 
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constructed by stages so that at each stage the construction deals with an almost 
free algebra, and the construction, if needed, acts by factorizing the algebra with 
respect to a principal congruence thus again producing an almost free algebra. 

In case when a =< c,f,g >, almost free algebras can be characterized as 
explained below. Let A be an algebra of signature a and be generated by c. 
We say that there is an edge from a to b if /(a) = b or g(a) = b. Thus, A 
is turned into a directed graph. Hence one can employ graph theoretic notions 
to this algebra viewed as a graph. For example, a distance from a to & is the 
length of a minimal directed path starting at a and ending at b. A level in A 
is the set of all elements that are on the same distance from the generator c. 
Thus, if A is the absolutely free algebra of the signature cr then there are 2" 
number of elements at level n. The following is not hard to see. The algebra A 
is almost free if and only if either A is finite or there is a level L such that for 
all x £ L the subalgebra A x generated by x is ismorphic to tF(cr), and for all 
distinct x,y £ L the domains of A x and A y have no elemenets in common. Here 
is a lemma whose proof we omit. The reader can verify the correctness of the 
lemma in the case (sufficient for our counterexample) when a is < c, /, g > using 
the characterization just explained. 

Lemma 4. There exists an algorithm that for any almost free algebra A, a wit- 
ness sequence (aq, &i), . . . , (a n , b n ) for A. a first order formula I>(xi , . . . , x n ), and 
an m-tuple (ci, . . . , c m ) decides whether or not A |= ^(ci, . . . , c m ). In particular, 
the first order theory of any almost free algebra is decidable. 

We use a weaker version of this lemma. First of all, we will deal with the 
mentioned signature < c, /, g >. Secondly, we restrict ourselves to formulas T> 
which are quasiequational specifications. 

The proof of the next lemma uses a diagonalization argument. The result of 
this lemma can be obtained without the diagonalization. However, the methods 
and ideas of this and the next lemmas give a hint towards a solution of the 
problem. 

Lemma 5. There exists a finitely generated c.e. algebra that has no quasiequa- 
tional specificationcan in its own signature. 

Proof (outline). We construct the desired algebra by stages, where at each 
stage we deal with the almost free algebra obtained at the previous stage. The 
signature of the algebra A that we construct is < c,f,g >. In order to make 
A not quasiequationally specified, our construction needs to make sure that A 
is not isomorphic to IF(C) for any given quasiequational specification C . Thus, 
in order to construct A the construction must guarantee the satisfaction of the 
following requirements: 

R e : A is not isomorphic to T{C e ), 

where {C e } e e u is an effective list of all quasiequational specifications (note that 
each quasiequational specification is finite). The previous lemma is an important 
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tool guaranteeing that the construction can be carried out effectively. At the 
initial stage, Stage 0, the construction begins with the algebra is T{a). Denote 
this algebra by Aq. At Stage n + 1, the goal of the construction is to guarantee 
that the requirement R n is satisfied. Here is a description of Stage n+ 1. 

Stage n+l. Assume that A n has been constructed, and is almost free. In addition 
we have its witness for being almost free. Take the quasiequation C n . Check 
whether or not A n |= C n . This can be checked due to the previous lemma. If 
A n \= C n then find two distinct elements a, 6 in A„ such that the factor algebra B 
obtained by factorization of A„ with respect to the principal congruence ij(a, b) 
satisfies Rq, . . . ,R n and is infinite. Set A„+ 1 = B. Clearly, A„+ 1 is almost free. 
If A n \= ~^C n then find a tuple a that witnesses the fact that A„ f= ~<C n . More 
presicely, we know that the quasiequational specification C n is of the form 

Vx(& i (^ i (5) &i(x))), 

where each of <b>i and tjc is an equation between terms. Since A n does not satisfy 
C n there exists a tuple a and i such that A„ \= $i(a) and A \= -^(a). The 
construction then guarantees that APi(a) is always true, by making sure that 
the requirements Cj of lower priority (j > n + 1) do not violite the truth value 
of 'f'i(d). In this case A n + i = A n . 

The desired algebra is now the following. Let 77 be the congruence relation 
such that (a, b) £ 77 iff a = b is true in some A n . Clearly 77 is a c.e. relation. Set 
A to be the factor algebra obtained by factorizing T{(j) with respect to 77. It is 
not hard to show that A is a desired algebra. □ 

The lemma suggests the idea of constructing the algebra that gives a negative 
solution to Problem 2 by trying to diagonalize against all possible quasiequa- 
tional specifications in all possible finite expansions of the signature. Doing this 
directly seems to be a difficult task because of the following two reasons. Say, the 
eth quasiequational specification contains a new function symbol 1 j). This means 
that the requirement R e is equivalent to an infinite list of requirements as now 
if) is a new parameter. Hence the list of requirements that correspond to C e is 
now this: 

(A, 4>j) is not isomorphic to T{C e ), 

where {^j-jew is an enumeration of all partial computable functions. Secondly, 
the behaviour of each cj)j is not under our control as we can only control the 
algebra A which is being constructed. Therefore it is not clear how to directly 
construct the desired algebra. 

We construct the desired algebra A indirectly. The basic idea of using an 
indirect way is implicitly suggested by the two lemmas above. If we can construct 
A in such a way that every possible expansion of A does not produce new 
functions, in the sense expressed in the definition below, then a modification 
of the proof of the previous lemma does the job. In order to formally explain 
this idea we give the following definition. Note that almost all means for all but 
finite. 
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Definition 4. A new operation if : A n — » A on a c.e. algebra A is termal 
if there is a term t{x ) in the signature of algebra A such that for almost all 
(ai, . . . , a n ) € A n the equality 1, . . . , a,, . . . , a n ) = t(a,;) is true. An expansion 
B = (A, ipi, , ifm) of A is termal if each new operation ipi is termal. 

Note that in case of the signature < c,f,g >, every term is of the form f n ° 
g m ° . . . nk g mk (x) , where ni,nii are natural numbers, and hence contains one 
variable only. 

Thus, the idea is that we want to construct a finitely generated c.e. algebra 
A that incorporates the construction of the previous lemma and, in addition, 
makes sure that any expansion of A is termal. We single out the following class 
of c.e. algebras which, we think, is of independent interest. 

Definition 5. We say that an infinite finitely generated computably enumerable 
algebra A is computationally complete if any expansion of A is termal. 

The following note is simple. If a finitely generated c.e. algebra is computa- 
tionally complete then any other c.e. algebra isomorphic to it is also computa- 
tionally complete. The reason for this is that there is a computable isomorphism 
between any two finitely generated c.e. algebras. So computational completeness 
is an isomorphism invariant property for finitely generated c.e. algebras. Thus, 
for a computational complete algebra every expansion of this algebra, say by a 
function g , does not give us anything new. The function g already exists in the 
algebra as g can be expressed as a term apart from finitely many values. 

We also note the following. If we omit the requirement that the algebra is not 
finitely generated, then computational completeness becomes non isomorphism 
invariant. In particular, one can construct a c.e. presentation of the following 
trivial algebra (ui,id), where id(x) = x for all x € lo, such that in that pre- 
sentation every possible expansion function g becomes identity or a projection 
function with respect to the equality relation of the presentation. 

Finally, in universal algebra there is a notion of primal algebra defined for 
finite algebras. A finite algebra is primal if any new function / : A — > A can 
be expressed as a term. For example, the two valued Boolean algebra is primal. 
Computational complete algebras are infinite analogues of primal algebras. 

For the next lemma that shows usefulness of computationally complete alge- 
bras we need the following definition. 

Definition 6. A finitely generated algebra A is term algebraic if for any el- 
ement b £ A the number of ground terms t in the language of the algebra such 
that the values oft in A equal b is finite. 

Here is now the next lemma: 

Lemma 6. If A is a term algebraic computationally complete algebra then no 
expansion of A can be quasiequationally specified. 

Proof (outline). The idea is the following. Assume that S' is a quasiequational 
specification of an expansion B = (A, V’l, • • • , V’n) of the algebra A. Then the 




310 



Bakhadyr Khoussainov 



specification S can be replaced with a new specification S' in the original signa- 
ture so that S' specifies A. This can be done because, roughly, any new operation 
ipi that is in S can be replaced with a term ti in the original signature that equals 
ipi almost everywhere. In the transformation of S into S' one needs to use the 
fact that the algebra is term algebraic. □ 

Thus, we need to show that computationally complete and term algebraic 
algebras exist. The next lemma gives a brief outline of the construction. The 
proof uses a technique borrowed from modern computability theory, a priority 
construction carried out with a method known as a tree argument construction. 
For a current full version of the proof see [4], 

Lemma 7. Computationally complete and term algebraic algebras exist. 

Proof (outline). We present basic ideas of our construction. The signature 
of the algebra we construct is our signature < c, /, g >. The construction of 
the algebra is a stagewise construction so that at each stage we deal with an 
almost free algebra of the given signature. Let . . . be an effective list 

of all computable partial functions. The algebra A that we want to construct 
must satisfy the following condition. For every e £ u>, if (f> e is a total function 
and expands A then 4> e must be equal to a term t almost everywhere. Thus, to 
build the desired algebra A, the following list {T e } eeu of requirements must be 
satisfied: 

T e : If <j) e is total and expands the algebra A then <j) e is termal. 

We now describe the basic strategy that satisfies one requirement T e . Start 
constructing the algebra A by making it isomorphic to the free algebra tF(<r). 
While constructing, wait until for some tuples a = (a i, . . . , a„ ), b = (bi, . . . , b n ) 
in A each of the following occurs: 

1. The values </> e (a) and (/> e (b) are defined, 

2. There is no term t and no i for which (f> e (a ) = t(di) and <p e (b) = t{bt). 

3. Viewing A as a directed graph (described in page 6) there is no directed 
path neither from cq to b i nor from b\ to aq, where a\ and b\ are the first 
components of the tuples a and b. 

If such a pair (a,b) occurs, then the desired algebra is obtained by factoriz- 
ing T{ l (j) by the principal congruence relation g(ai,bi). Otherwise, the desired 
algebra remains isomorphic to J~(cr) . 

This strategy satisfies the requirement T e . Indeed, if A is isomorphic to T(cr) 
then either <f> is undefined somewhere or </> equals to some term t almost every- 
where. If A is obtained by factorizing T by 77 ( 0 , b) then </> e now does not define 
an operation on A because there is a tuple at which the value of <f> is not well- 
defined. A point here is that strategy makes it sure that the function cj> e that 
acts improperly (that is <fi e does not look like a term now), after the action of 
the construction, does not respect the equality relation of the algebra A being 
constructed. Clearly, the algebra is term algebraic 
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Of course the strategy to satify just one requirment is not a difficult one. 
Problems arise when one tries to satisfy all of the requirement T e . The reason 
is that the requirements T e interact with each other. Moreover, while satisfying 
the requirements T e the construction needs to guarantee that the algebra being 
constructed does not collapse into a finite algebra. Now we would like to make 
a few notes of a general character about the construction and present some 
technical details of the construction to the reader. For a current version of the 
full construction see [4], 

Natirally, first of all we list all the requirments T e , and say that T) has a 
higher priority than X) if i < j. Assume that the requirement T e is associated 
with computable partial function </>. While constructing the desired algebra A, 
the construction acts depending on the behavior of (j). At any stage there are 
elements x in A marked with and associated with (f). The index w indi- 
cates that (j> is waiting to be defined on these marked x. If (j) is not defined 
on some of these elements then the outcome of (j> at a given stage is that of a 
waiting state. However, (f> may be defined on the marked elements. Then (f> may 
exhibit two different behaviors. One is that there is a term p and i such that 
4>(xi , . . . , Xi, . . . , x n ) = p(xi) on all marked elements x. The other is that such a 
term p does not exist. In the former case, the outcome of (f> is that of “</> looks 
like a term”, denoted by t. In the latter case, the construction should act, by 
using a version of the basic strategy, in such away that cj> does not respect the 
equality relation of A. If there is a right environment to do this now then T e is 
satisfied (Informally, by a right environment we mean that the action of the con- 
struction to satisfy T e does not destroy the work of those requirements of higher 
priority). In this case the outcome is that of t> is destroyed now”, we denote this 
outcome by d. If not, then the construction creates an environment so that T e 
will have a chance to destroy <j> at a later stage. In this case the outcome is Wd- 
A point is that no actions performed due to the requirements of lower priority 
effect the environment created (However, the environment can be destroyed by 
satisfying requirements of higher priority in which case T e will have its chance 
to be satisfied). Therefore when <f> is again defined on all elements of the created 
environment then the construction is able to act and distroy (j) so that <f> does 
respect the equality relation of the algebra being constructed. 

The desired algebra A is built by using a construction on a priority tree. 
Constructions on priority trees are often used in pure computability theory (see 
for example [11]). The alphabet of the outcomes of the priority tree is O = 
{t, Wt, Wd, d}. The symbol t corresponds to the outcome saying that the function 
under consideration is termal, vj t and Wd correspond to waiting states. The 
outcome Wt expresses the fact that the function under consideration seems to be 
a term, and the construction is waiting for the function to be defined on some 
elements of the algebra. The outcome Wd expresses the fact that the function 
seems not to be a termal function; moreover, the construction has created an 
environment to make it sure that the function does not respect the equality 
relation of the algebra and is waiting for the function to be defined on certain 
elements of the algebra. The outcome d corresponds to the fact that the function 
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under consideration does not respect the equality relation on A. The order on 
these outcomes is t < w t < Wd < d. Consider the tree T = {t, w t , u>d, , d} <u> . 
To each node (3 of the tree of length e there corresponds a /3-strategy that is 
devoted to satisfy requirment T e . The /3-strategy is an adaptation of the basic 
strategy but takes into account the outcomes /3(k), where k < e. In other words, 
the /3-strategy acts by believing that the outcome of the A-strategy (A is the 
root of the priority tree) to satisfy T 0 is /3(0), the outcome of the /3(0)-strategy 
to satisfy T) is /3(1), the outcome of the /3(0)/3(l)-strategy to satisfy R 2 is /3(2), 
etc. 

At the end of the construction one defines the true path on the tree by 
induction. Basically, it is the leftmost path / on T so that every node on the 
right of / acts finitely often and each node in / acts infinitely often. Then 
one proves, by induction on the lengths of the nodes on the true path, that the 
construction succeeds along the true path. The fact that the algebra constructed 
is term algebraic is guaranteed because of the following. Each requirement T e 
determines a level (that is, fixes a distance from the generator) that basically 
says that all the requirement of lower priority are not allowed to work below 
that level. In other words, once a distance for T e is fixed, say is d , then all 
requirements of lower priority than T e do not affect elements x such that the 
distance from x to the generator is not greater than d. These levels determined 
by strategies corresponding to T e may change finitely many times only. Doing 
this will guarantee that for each element a of the algebra there will be finitely 
many ground terms whose values equal to a in the algebra. □ 

Now we combine constructions in Lemma 5 and Lemma 7 into one to build 
an algebra that has no quasiequational specification in any expansion. This is 
guaranteed by Lemma 6. Here is the result: 

Theorem 2. There exists a finitely generated c.e. algebra such that every ex- 
pansion of the algebra is not quasiequationally specified. 

Proof (outline). Again, the desired algebra is built by using a cliagonaliza- 
tion argument. On the one hand, we try to make the algebra computationally 
complete. On the other, we try ensure that the algebra constructed can not be 
quasiequationally specified in its own signature. For this we need to satisfy the 
following lists of requirements: 

R e : A is not isomorphic to T{C e ), 

where {C e } eeul is an effective list of all quasiequational specifications in the 
signature < c, f,g >, and 

T e : If <j) e is total and expands the algebra A then cf> e is termal. 

where {</> e } e eu; is an effective list of all computable partial functions. Our con- 
struction will be a stagewise construction so that even stages are devoted to 
satisfy the requirments R e , and odd stages T e . Thus, the priority list is the 
following: 



r 0 ,t 0 ,r 1 ,t 1 ,r 2 ,t 2 ,.... 
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A point to note here is that the requirements R e are somewhat independent 
from the requirements T e . This is because once we acted to satisfy R e it can be 
guaranteed that no requirment of lower priority can injure R e . The requirements 
T e are satisfied in the manner similar to what is described Lemma 7. The re- 
quirements R e are satisfied in the manner as explained in Lemma 5. Naturally, 
the whole construction is put on a priority tree. At nodes of even length, say 2e, 
the requirement R e is met; and at nodes of odd length length the requirement 
T e is met. Each node a of even length has exactly one immediate successor as, 
where s stands for “i? e is satisfied”, while each node a of odd length has four 
immediate successors at, awt, awd, and ad meaning of which are described in 
the lemma above. □ 
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Abstract. Existential fc-pebble games, k > 2, are combinatorial games played 
between two players, called the Spoiler and the Duplicator, on two structures. 
These games were originally introduced in order to analyze the expressive power 
of Datalog and related infinitary logics with finitely many variables. More recently, 
however, it was realized that existential fc-pebble games have tight connections 
with certain consistency properties which play an important role in identifying 
tractable classes of constraint satisfaction problems and in designing heuristic al- 
gorithms for solving such problems. Specifically, it has been shown that strong 
fc-consistency can be established for an instance of constraint satisfaction if and 
only if the Duplicator has a winnning strategy for the existential fc-pebble game 
between two finite structures associated with the given instance of constraint sat- 
isfaction. In this paper, we pinpoint the computational complexity of determining 
the winner of the existential fc-pebble game. The main result is that the following 
decision problem is EXPTIME-complete: given a positive integer k and two finite 
structures A and B, does the Duplicator win the existential fc-pebble game on A 
and B? Thus, all algorithms for determining whether strong fc-consistency can be 
established (when fc is part of the input) are inherently exponential. 



1 Introduction and Summary of Results 

Combinatorial games are a basic tool for analyzing logical definability and delineating 
the expressive power of various logics. Typically, a logic L is decomposed into a union 
L = U fe>1 L[k) of fragments according to some syntactic parameter, such as quantifier 
rank, pattern of quantification, or number of variables. With each fragment L(k ) , one then 
seeks to associate a natural combinatorial game Q(k) that captures L(fc)-equivalence, 
Specifically, the desired game Q{k) is played between two players, called the Spoiler 
and the Duplicator, on two structures A and B, and has the following property: the 
Duplicator has a winning strategy for G(k) on A and B if and only if A and B satisfy 
the same fcffcj-sentences. In the case of first-order logic FO, each such fragment is the 
set FO(fc) of all first-order sentences of quantifier rank at most k, and the game G(k) 
is the fc-move Ehrenfeucht-Frai'sse-game. Moreover, in the case of the infinitary logic 
with finitely many variables, each such fragment is the infinitary logic with k 
variables, k > 1, and the corresponding game is the fc-pebble game. As is well known, 
fc-pebble games have turned out to be an indispensable tool in the study of logics with 
fixed-point operators in finite model theory (see [7] for a survey). 
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Each game Q(k) as above gives rise to the decision problem of determining the winner 
of this game: given two finite structures A and B, does the Duplicator have a winning 
strategy for Q(k) on A and B? It is easy to show that, for every k > 1, determining the 
winner of the fc-move Ehrenfeucht-Frai'sse-game is in LOGSPACE (this is a consequence 
of the fact that each equivalence class of FO(/c)-equivalence is first-order definable). 
The state of affairs, however, is quite different for the /.'-pebble games. Indeed, Grohe 
[7] established that, for each k > 2, determining the winner of the fc-pebble game is 
a P-complete problem, that is, complete for polynomial-time under logarithmic-space 
reductions. It is also natural to consider the decision problem that arises by taking 
the parameter k as part of the input (in addition to the structures A and B). Pezzoli 
[13] investigated the computational complexity of this problem for the Ehrenfeucht- 
Frai'sse-game and showed that it is PSPACE-complete. In other words, Pezzoli showed 
that the following problem is PSPACE-complete: given a positive integer k and two 
finite structures A and B, does the Duplicator have a winning strategy for the fc-move 
Ehrenfeucht-Frai'sse-game on A and B? Thus, when the number of moves is part of 
the input, an exponential jump occurs in determining the winner of the Ehrenfeucht- 
Frai'sse-game. It is conjectured that a similar exponential jump in complexity holds for 
the fc-pebble game, when k is part of the input. Specifically, the conjecture is that the 
following problem is EXPTIME-complete: given a positive integer k and two finite 
structures A and B, does the Duplicator have a winning strategy for the /.'-pebble on A 
and B? To date, this conjecture remains unsettled. 

In this paper we investigate the computational complexity of the decision problems 
associated with the class of existential fc-pebble games (or, in short, (3, fc)-pebble games), 
which are an asymmetric variant of the /.'-pebble games. These games were introduced 
in [11] as a tool for studying the expressive power of Datalog and of the existential 
positive infmitary logic 3L^ W with finitely many variables. More precisely, 3L|^ W is 
the collection of all -formulas containing all atomic formulas and closed under 
existential quantification, infmitary conjunction /\, and infmitary disjunction /\. Clearly, 
3 = Ufe>i where 3L^ ou; is the collection of all 3L^ 3tJ -formulas with at most 

k distinct variables. The differences between the (3, /c)-pebble game and the fc-pebble 
game played on two structures A and B are that in the (3, fc)-pebble game: ( 1 ) the Spoiler 
always plays on A; and (2) the Duplicator strives to maintain a partial homomorphism, 
instead of a partial isomorphism. The main result of this paper is that determining the 
winner of the (3, fc)-pebble game, when k is part of the input, is an EXPTIME-complete 
problem. In contrast, for each fixed k > 2, determining the winner of (3, /.'(-pebble 
game turns out to be a P-complete problem. Before commenting on the technique used 
to establish the main result, we discuss the motivation for investigating this problem and 
the implications of our main result. 

Although (3, /c)-pebble games were originally used in database theory and finite 
model theory, in recent years they turned out to have applications to the study of con- 
straint satisfaction. Numerous problems in several different areas of artificial intelligence 
and computer science can be modeled as constraint satisfaction problems [4], In full 
generality, an instance of the Constraint Satisfaction Problem consists of a set of 
variables, a set of possible values, and a set of constraints on tuples of variables; the 
question is to determine whether there is an assignment of values to the variables that 
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satisfies the given constraints. Alternatively, as first pointed out by Feder and Vardi [6], 
the Constraint Satisfaction Problem can be identified with the Homomorphism 
Problem: given two relational structures A and B, is there a homomorphism h from 
A to B? Intuitively, the structure A represents the variables and the tuples of variables 
that participate in constraints, the structure B represents the domain of values and the 
tuples of values that the constrained tuples of variables are allowed to take, and the 
homomorphisms from A to B are precisely the assignments of values to variables that 
satisfy the constraints. The Constraint Satisfaction Problem is NP-complete, since 
it contains Boolean Satisfiability, Colorability, Clique, and many other promi- 
nent NP-complete problems as special cases. For this reason, there has been an extensive 
pursuit of both tractable cases of the Constraint Satisfaction Problem and heuris- 
tic algorithms for this problem. In this pursuit, a particularly productive approach has 
been the introduction and systematic use of various consistency concepts that make ex- 
plicit additional constraints implied by the original constraints. The strong k-consistency 
property is the most important one among them; intuitively, this property holds when 
every partial solution on fewer than k variables can be extended to a solution on k vari- 
ables [5], Closely related to this is the process of “establishing strong fc-consistency”, 
which is the question of whether additional constraints can be added to a given instance 
of the Constraint Satisfaction Problem in such a way that the resulting instance is 
strongly fc-consistent and has the same space of solutions as the original one. Algorithms 
for establishing strong fc-consistency play a key role both in identifying tractable cases 
of constraint satisfaction and in designing heuristics for this class of problems [2,5] . 

In [12], a tight connection was shown to exist between strong fc-consistency proper- 
ties and (3, fc)-pebble games. Specifically, it turns out that strong fc-consistency can be 
established for a given instance of the Constraint Satisfaction Problem if and only if 
the Duplicator has a winning strategy for the (3, fc)-pebble game on the structures A and 
B forming the instance of the Homomorphism Problem that is equivalent to the given 
instance of the Constraint Satisfaction Problem. This connection was fruitfully 
exploited in [3], where it was shown that the tractability of certain important cases of 
constraint satisfaction follows from the fact that the existence of a solution is equivalent 
to whether the Duplicator can win the (3, fc)-pebble game for some fixed fc. Note that, 
for every fixed fc, there is a polynomial-time algorithm to determine whether, given two 
finite structures A and B, the Duplicator has a winning strategy for the (3, fc)-pebble 
game on A and B (this had been already observed in [11]). Nonetheless, since many 
heuristics for constraint satisfaction require testing whether strong fc-consistency can be 
established for arbitrarily large fc’ s, it is important to identify the inherent computational 
complexity of determining the winner in the (3, fc)-pebble game, when fc is part of the 
input. It is not hard to verify that this problem is solvable in time 0(n 2k ), that is, in 
time exponential in fc. Moreover, it was conjectured in [12] that a matching lower bound 
exists, which means that the following problem is EXPTIME-complete: given a positive 
integer fc and two finite structures A and B, does the Duplicator have a winning strategy 
for the (3, fc) -pebble on A and B? 

In this paper, we prove this conjecture by showing that another pebble game, which 
was known to be EXPTIME-complete, has a polynomial-time reduction to the (3, fc)- 
pebble game. Specifically, Kasai, Adachi, and Iwata [8] introduced a pebble game, which 
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we will call the KA1 game, and showed that it is EXPTIME-complete via a direct re- 
duction from polynomial-space alternating Turing machines (recall that APSPACE = 
EXPTIME [1]). Our reduction of the KA1 game to the (3,fc)-pebble game is quite 
involved and requires the construction of elaborate combinatorial gadgets. In describing 
this reduction and establishing its correctness, we will adopt the setup and terminology 
used by Grohe [7] in showing that, for every k > 2, the /.'-pebble game is P-complete. 
Some of the basic gadgets in our reduction already occurred in Grohe’s reduction. How- 
ever, we will also need to explicitly construct other much more sophisticated gadgets that 
will serve as “switches” with special properties in the reduction. We note that Grohe also 
used highly sophisticated gadgets that were graphs with certain homogeneity properties. 
Grohe’s gadgets, however, have size exponential in k and, hence, they cannot be used 
in a polynomial-time reduction when k is part of the input (this is also the reason why 
Grohe’s reduction does not show that the fc -pebble game is EXPTIME-complete, when 
k is part of the input). An immediate consequence of our main result is that determin- 
ing whether strong /^-consistency can be established, when k is part of the input, is an 
EXPTIME-complete problem and, thus, inherently exponential. Moreover, this explains 
why all known algorithms for establishing strong fc-consistency are exponential in k 
(even ones considered to be “optimal”, see [2]). 

We also address the computational complexity of determining who wins the (3, fc)- 
pebble game, when A: is a fixed positive integer. Kasif [10] showed that determining 
whether strong 2-consistency can be established is a P-complete problem. From this 
and the aforementioned connection between strong fc-consistency and the (3, fc)-pebble 
game [12], it follows that determining who wins the (3, 2)-pebble game is a P-complete 
problem. Here we give a direct proof to the effect that, for every fixed fc > 2, determining 
who wins the (3, fc)-pebble game is a P-complete problem. This is done via a reduction 
from the Monotone Circuit Value Problem, which we present first as a warm-up to 
the reduction of the KAI game to the (3, fc)-game, when fc is part of the input. Due to 
space limitations, here we present only outlines of these reductions; complete proofs can 
be found in the full version of the paper, which is available at http://www.cs.ucsc.edu/ 
"kolaitis/papers/. 

2 The Existential fc-Pebble Game 

Let A and B be two relational structures over the same vocabulary. A homomorphism h 
from A to B is a mapping h : A -A /i from the universe A of A to the universe /i of B 
such that, for every relation R A of A and every tuple (ai, . . . , a m ) £ i? A , we have that 
(fc(ai), . . . , h(a m )) £ i? B . A partial homomorphism from A to B is a homomorphism 
from a substructure of A to a substructure of B. 

Let fc > 2 be a positive integer. The existential k-pebble game (or, in short, the 
(3, k)-pebble game ) is played between two players, the Spoiler and the Duplicator, on 
two relational structures A and B according to the following rules: each player has fc 
pebbles labeled 1 , . . . , fc; on the i-th move of a round of the game, 1 < i < fc, the Spoiler 
places a pebble on an element a, : of A, and the Duplicator responds by placing the pebble 
with the same label on an element bi of B. The Spoiler wins the game at the end of that 
round, if the correspondence a* i-> bi, 1 < i < fc, is not a homomorphim between the 
substructures of A and B with universes {ai, . . . , ak) and {b±, . . . , bk}, respectively. 
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Otherwise, the Spoiler removes one or more pebbles, and a new round of the game 
begins. The Duplicator wins the (3, fc)-pebble game if he has a winning strategy , that is 
to say, a systematic way that allows him to sustain playing “forever”, so that the Spoiler 
can never win a round of the game. 

To illustrate this game (and its asymmetric character), let K m be the m-clique, that 
is, the complete undirected graph with m nodes. For every k > 2, the Duplicator wins 
the (3, /c)-pebble game on Kj, and Kfc+i, but the Spoiler wins the (3, k + l)-pebble 
game on K^ + i and K/.. As another example, let L s be the s-element linear order, s > 2. 
If to < n, then the Duplicator wins the (3,2)-pebble game on L m and L n , but the 
Spoiler wins the (3, 2)-pebble game on L„ and L m . 

Note that the above description of a winning strategy for the Duplicator in the (3, fc)- 
pebble game is rather informal. The concept of a winning strategy can be made precise, 
however, in terms of families of partial homomorphisms with appropriate properties. 
Specifically, a winning strategy for the Duplicator in the existential k-pebble game on 
A and B is a nonempty family T of partial homomorphisms from A to B such that: 

1. For every / G T , the domain dom(/) of / has at most k elements. 

2. T is closed under subf unctions, which means that if g G T and / C g, then / G T . 

3. T has the k-forth property, which means that for every / G kF with |dom(/)| < k 
and every a G A on which / is undefined, there is a g £ IF that extends / and is 
defined on a. 

Intuitively, the second condition provides the Duplicator with a “good” move when 
the Spoiler removes a pebble from an element of A, while the third condition provides 
the Duplicator with a “good” move when the Spoiler places a pebble on an element of A. 

3 The ( 3 , fc) -Pebble Game Is P-Complete 

In this section, we show that, for every k > 2, determining the winner of the (3, fc)- 
pebble game is a P-complete problem. We do this by constructing a reduction from 
the Monotone Circuit Value problem (MCV) in the style of Grohe [7], but with 
different gadgets. In this reduction, the structures will be undirected graphs with ten 
unary predicates, called colors. So, we actually prove that, for every k > 2, the (3, k)- 
pebble game restricted to such structures is P-complete. 

The following concepts and terminology come from Grohe [7] . 

1. In an undirected graph with colors, a distinguished pair of vertices is a pair of 
vertices that are of the same color, and that color is not used for any other vertex in 
the graph. 

2. A position of the (3, /c)-pebble game on A and B, is a set P of ordered pairs such 
that P C Ax B and \P\ < k. Often, we will omit the ordered pair notation and use 
the shorthand ab G P to mean that (a, b ) G P. 

3. A strategy for the Spoiler is simply a mapping from positions to moves which tells 
the Spoiler how to play given the current position. 

4. We say that the Spoiler can reach a position P' from another position P of the 
(3, k)-pebble game on A and B if the Spoiler has a strategy for the (3, fc)-pebble 
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Fig. 1. H Gadget based on the one from [7]. Hs is on the left and Ho is on the right. 
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Fig. 2. 1 Gadget based on the one front [7], Is is on the left and Id is on the right. 

game on A and B such that, starting from position P, either he wins the game or 
after a number of moves the game is in a position P" such that P' C P" . 

This concept will be used to combine strategies of the Spoiler on different gadgets 
in order to construct strategies for the combined game. 

5. We say that the Duplicator can avoid a position P' from another position P of the 
(3, k)-pebble game on A and B if the Duplicator has a winning strategy for the 
(3, fc)-pebble game on A and B such that starting from position P, position P' 
never occurs. 

For each gadget used in the reduction there will be two pieces, one for the Spoiler’s 
structure and one for the Duplicator’s structure. For gadget X, we call the Spoiler’s side 
Xs , the Duplicator’s side Xd, and the pair (Xs, Xu) simply X. 

3.1 The Gadgets H and I 

The graphs Hd and Id, which are both based on gadgets from [7], are going to be 
used for and nodes and or nodes respectively. Hd, as seen in Figure 1, consists of 
six vertices These six vertices form three distinguished pairs, (h,h'), 

( i , i'), and (j,j r ). There are edges from h to i, and h to j, and edges from h! to i' and 
h! to j' . This graph has only one non-identity automorphism, which we will call sun, 
that maps any vertex a to a' and any vertex a' to a. Hs is simply the subgraph of Hd 
determined by h, i,j. Starting from position hh! , the Spoiler can reach both ii 1 and jj' 
in the (3, fc)-pebble game on ( Hg , Hd)- 

Id, seen in figure 2, has ten vertices. It contains the three distinguished pairs (h, h'), 
( i , i'), and (j. j'), plus four additional nodes which we will name by their connections 



